Federal agencies are making "significant strides" in dealing with longstanding IT security issues but much work remains, according to the Office of Management and Budget's (OMB) FY 2002 Report to Congress on Federal Government Information Security Reform.
Although the report says the Bush administration has "applied more rigorous IT security reviews, more threats and vulnerabilities have also materialized."
The OMB is required by law to conduct annual federal IT security reviews under the Government Information Security Reform Act (GISRA). The law also mandates Inspector Generals to perform annual independent security reviews of agency programs and systems and report the results to the OMB.
In the 2001 report to Congress, OMB identified six common government-wide security weaknesses: lack of senior management attention to IT security; non-existent IT security performance measures; poor security education and awareness; failure to fully fund and integrate security measures into the budget process; failure to ensure that contractor services are adequately secure; and lack of detecting, reporting and sharing of information vulnerabilities.
"A year later, progress is clearly evident across these six areas," the 2002 report states. "While additional efforts are still warranted, the federal government is headed in the right direction."
The report adds, however, that as more agencies conduct more thorough IT security reviews, more vulnerabilities are appearing. The OMB identified five specific areas of concern:
The report says the lack of IT security awareness beyond tech employees should prompt the government to think of security in a new manner.
"The old thinking of IT security as the responsibility of a single agency official or the agency's IT security office is out of date, contrary to law and policy, and significantly endangers the ability of agencies to safeguard their IT investments," the report states.