By Mary Mosquera
Interior secretary Gale Norton disagrees with her department's
inspector general that the department does not meet federal security
requirements and has asked the Office of Management and Budget to
clarify its interpretation of those requirements.
Interior certified and accredited more than 98 percent of its systems
in fiscal 2005 to comply with the Federal Information Security
Management Act. During the year, Interior also made progress in
consolidating 13 networks into a single departmental enterprise
services network, with strong network perimeter security controls. The
three remaining bureau networks are undergoing consolidation now, she
said in a letter to OMB director Joshua Bolten last month.
"While IT security is not perfect, risks and vulnerabilities still
remain, and improvements need to be made, the policies and processes
to address those risks are adequate, improvements have been and will
continue to be made, and therefore, DOI substantially complies with
FISMA," Norton said in the letter.
OMB could not comment on Interior's request, an OMB spokesman said.
"We continue to work with every agency to improve security. We are
currently completing our analysis for the FISMA report to be released
in March," OMB spokesman Alex Conant said.
Norton said some of the reporting criteria on risk management were
ambiguous, leading to subjective judgment and individual perspectives.
The quality of Interior's certification and accreditation process is,
at a minimum, satisfactory, said Interior CIO Hord Tipton in a
redacted version of his FISMA evaluation.
Tipton's office also worked under the burden of producing 4.5 million
pages of documentation related to the long-running Cobell v. Norton
lawsuit, which has forced Interior to cut off some of its systems from
the Internet. The plaintiffs claim that Interior's IT security is weak
and that hackers can easily penetrate the Individual Indian Trust
"The CIO believes the IG's responses to several of the questions in
the FY 2005 reporting template exceed the basic requirements of FISMA
and do not take into account improvements made during the year in
response to the testing the IG conducted," Norton said.
Despite progress, Interior IG Earl Devaney said the department has
significant weaknesses in its network security, plans for corrective
actions and milestones, and certification and accreditation.
The IG's penetration testing demonstrated that Interior's network
infrastructure was vulnerable to unauthorized access from internal and
"(It) allowed us to compromise some of DOI's most sensitive
information," Devaney said in the public version of his evaluation.
Devaney rated Interior.s certification and accreditation program as
poor. Overall, Interior lacks an effective departmentwide strategy to
implement and oversee its various policies and procedures, he said.
Earn your Master's degree in Information Security ONLINE
Study IA management practices and the latest infosec issues.
Norwich University is an NSA Center of Excellence.