By Daniel Pulliam
March 2, 2006
Agencies improved slightly in fiscal 2005 at meeting computer security
standards, according to a report released Wednesday by the Office of
Management and Budget.
The percentage of agency information technology systems certified and
accredited rose from 77 percent in fiscal 2004 to 85 percent in 2005,
just short of an administration goal of 90 percent, OMB stated.
Furthermore, the number of systems with tested contingency plans
increased from 57 percent to 61 percent over that same period, the
report to Congress  on the implementation of the 2002 Federal
Information Security Management Act found.
The number of agency IT systems also grew in that time, rising 19
percent from 8,623 to 10,289. Contractors or other non-government
organizations manage 1,105 of those systems on behalf of the
The Defense Department, which houses 3,583 IT systems, went from 58
percent of systems certified and accredited to 82 percent, though the
Pentagon inspector general gave the department a "poor" certification
and accreditation rating in the OMB report.
The Veterans Affairs Department, which reported 14 percent of its
systems as certified and accredited in fiscal 2004, reported that all
585 of its systems were certified and accredited the next year.
None of the inspector generals rated the certification and
accreditation process as failing, but eight rated it as "poor." Four
agency inspector generals rated it as "good," while the Social
Security Administration IG was the only one to rate it as "excellent."
Included in the report were goals needed to maintain a "green" status
-- the highest available grade -- in e-government on the Bush
administration's quarterly management score card. They involved
certifying and accrediting all IT systems by July 1, 2006, installing
and maintaining all systems with proper security configurations and
including continuity of operations provisions in the agency's
In fiscal 2005, agencies for the first time assigned risk levels to IT
systems, with 1,646 categorized as "high impact" and another 2,497 as
"moderate impact," the OMB report noted. Eighty-eight percent of those
rated as "high impact" were certified and accredited, it said.
Richard Tracy, chief technology and security officer of the Telos
Corp., an IT contractor, said he was pleased to see that agencies were
not "picking the low hanging fruit" by certifying and accrediting the
low-impact systems in order to improve their cybersecurity scores.
He said agencies are spending significant resources on the
certification and accreditation process in order to improve the
grades, but added that he would be curious to know whether they'll be
able to continue monitoring the systems once FISMA compliance is
OMB highlighted the oversight of contractor systems as a reason for
"strategic and continued management attention" and asked agency
inspectors general to confirm that systems operated by contractors
meet FISMA requirements.
Inspectors general for the Pentagon and the Homeland Security and
State departments told OMB their agencies "rarely" conduct oversight
of contractor-operated IT systems. Inspectors for NASA and the
Agriculture and Health and Human Services departments said their
agencies "sometimes" oversee IT systems operated by contractors.
Another area for concern according to OMB is the number of systems
with tested security controls, which dropped from 76 percent in fiscal
2004 to 72 percent in fiscal 2005.
Agencies' handling of incident reporting drew concern from OMB as
well, with DHS finding "sporadic reporting by some agencies and
unusually low levels of reporting by others."
"Less than full reporting hampers the government's ability to know
whether an incident is isolated at one agency or is part of a larger
event," the OMB report stated.
Agencies' process for planning, implementing and evaluating deficient
IT security policies -- known as POA&M -- drew concern because of
ineffective processes at the Defense, Agriculture, DHS and the
Interior, Transportation and Treasury departments.
House Government Reform Committee staffers still are reviewing the
report, according to Drew Crockett, spokesman for the panel's
chairman, Rep. Tom Davis, R-Va.
The committee is scheduled to release its annual cybersecurity grades
and discuss the OMB report at a March 16 hearing with Karen Evans,
administrator of OMB's Office of Electronic Government and Information
Technology, testifying, Crockett said in a statement.
InfoSec News v2.0 - Coming Soon!