Government auditors certified and accredited 77% of the federal government's 8,623 IT systems after undergoing risk assessments and security-control testing last fiscal year, up from 62% in fiscal year 2003, according to a White House report to Congress made public Friday. Several agencies, notably the departments of Labor and Transportation, showed remarkable improvements, with Transportation certifications rocketing to 98% from 33% and Labor accreditations leaping to 96% from 58%.
Karen Evans, administrator for E-government and IT in the White House Office of Management and Budget, said at a press briefing that she was pleased with the progress, but the government must be diligent even when all systems are eventually certified. "You can't be 100% secure," she said. "We're always constantly watching this stuff."
Among findings in the 56-page report:
- 85% of federal IT systems had security costs incorporated into their life-cycle planning costs, up from 77% in 2003.
- 77% had management, operational, and technical controls tests, up from 64%.
- 75% had contingency plans designed to ensure continuity of operation. Officials tested 57% of these systems. In 2003, 68% had contingency plans and only 48% were tested.
- All agencies have begun developing and implementing security-configuration policies for at least some of their operating systems, the first time that claim can be made.
- 88% of all federal-government employees received some IT security training last year at a cost of $55 million, or $13.33 for each worker.
OMB asked agency inspectors general to evaluate the quality of their agencies' certification and accreditation processes. Here are their ratings:
- Good: Agency for International Development, General Services Administration, National Science Foundation, Nuclear Regulatory Commission, and the departments of Justice and Treasury.
- Satisfactory: Environmental Protection Agency, Office of Personnel Management, Social Security Administration, and the departments of Energy, Interior, Labor, State, and Transportation.
- Poor: NASA and the departments of Commerce, Defense, Education, Health and Human Services, Homeland Security, and Housing and Urban Development.
Two departments, Agriculture and Veterans Affairs, had incomplete evaluations. No agency was deemed as failing.
The Federal Information Security Management Act requires that all systems be certified and accredited by July 1, a goal officials concede likely won't occur. Congress requires OMB to report on IT systems certification annually. The report's findings are based in part on audits conducted by the respective agencies' inspectors general.
Autor: Eric Chabrow
Quelle: Information Week, 04.03.2005