Federal agencies are making "significant strides" in dealing with longstanding IT security issues but much work remains, according to the Office of Management and Budget's (OMB) FY 2002 Report to Congress on Federal Government Information Security Reform.

Although the report says the Bush administration has "applied more rigorous IT security reviews, more threats and vulnerabilities have also materialized."

The OMB is required by law to conduct annual federal IT security reviews under the Government Information Security Reform Act (GISRA). The law also mandates Inspector Generals to perform annual independent security reviews of agency programs and systems and report the results to the OMB.

In the 2001 report to Congress, OMB identified six common government-wide security weaknesses: lack of senior management attention to IT security; non-existent IT security performance measures; poor security education and awareness; failure to fully fund and integrate security measures into the budget process; failure to ensure that contractor services are adequately secure; and lack of detecting, reporting and sharing of information vulnerabilities.

"A year later, progress is clearly evident across these six areas," the 2002 report states. "While additional efforts are still warranted, the federal government is headed in the right direction."

The report adds, however, that as more agencies conduct more thorough IT security reviews, more vulnerabilities are appearing. The OMB identified five specific areas of concern:

  • Many agencies find themselves with faced the same security issues year after year, such as a lack of system level security plans and certifications and accreditations. The OMB plans to assist agencies in the budget process to prioritize and reallocate funds to address these problems;
  • Some inspector generals and chief information officers have "vastly different views" of an agency's security programs. The OMB says it will highlight those differences to agency chiefs;
  • Many agencies are not properly prioritizing their IT investments. For instance, many agencies are requesting funding for new systems while "significant security weaknesses" still exist in their legacy programs and systems. Again OMB plans to address the issue through budget planning guidance with the agencies;
  • Not all agencies are complying with GISRA by conducting annual program and system reviews; and
  • While awareness of IT security has spread beyond security and IT employees, more agency program officials must engage and be held accountable for ensuring that the systems that support their programs and operations are secure.
  • The report says the lack of IT security awareness beyond tech employees should prompt the government to think of security in a new manner.

    "The old thinking of IT security as the responsibility of a single agency official or the agency's IT security office is out of date, contrary to law and policy, and significantly endangers the ability of agencies to safeguard their IT investments," the report states.