Information Security News
mailing list archives
Further security guidance given
From: InfoSec News <isn () c4i org>
Date: Wed, 24 Oct 2001 02:16:38 -0500 (CDT)
By Diane Frank
Oct. 23, 2001
The Office of Management and Budget last week released additional
guidance on how agencies must comply with a new law that pulls all of
the federal information security mandates together and calls for
reports that the administration and Congress will review.
Under the Government Information Security Reform Act of 2000, agencies
must undergo annual self-assessments and independent assessments of
their security practices and policies. Agencies sent OMB the first set
of reports on the results in September.
By Oct. 31, agencies must turn in plans of action and milestones on
how they plan to fix the weaknesses found in those assessments and
indicate the resources and timeframe for those corrections. The new
OMB guidance provides detailed instructions on what information must
be included in the reports, the format, how they will be tied to the
budget process, and what to include in the quarterly updates to
follow. The first update is due Jan. 31, 2002.
The plans must either be consolidated with or accompanied by other
agency plans to correct security weaknesses found in other reviews,
providing a better view for agency heads, OMB and Congress.
"A consolidated [plan] provides a road map for continuous agency
security improvement, assists with prioritizing corrective action and
resource allocation, and is a valuable management and oversight tool,"
according to the guidance.
The guidance is based on questions provided by agencies after OMB
released its instructions for the assessment reports in June. It is
presented in a question and answer format, with a sample plan that
outlines the eight categories of information agencies must provide:
* The type of weakness.
* The responsible office or organization.
* Estimated funding and resources required.
* The scheduled final completion date.
* Key milestones and completion dates.
* Milestone changes.
* The review that found the weakness.
* The plan's status (ongoing or completed).
Agencies should turn over the initial plan to OMB on a diskette as a
Microsoft Corp. Excel worksheet. OMB is not requiring a specific
format for the status updates.
ISN is currently hosted by Attrition.org
To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.
- Further security guidance given InfoSec News (Oct 24)