Report: Government Agencies Must Step Up Security
Aberdeen Group director of security research Eric Hemmendinger said the OMB essentially is embarking on a public relations campaign to raise awareness about the need to improve security in agency IT systems. "This is no mandate to spend money to upgrade government security," he said. "Rather, it is a communications campaign run by the Bush White House."
The White House push to secure the U.S. digital infrastructure does not exclude IT systems of federal agencies, according to the Office of Management and Budget (OMB), which released its Federal Government Information Security Report to Congress this week.
The OMB is required to submit the yearly report to Congress as part of the Federal Information Security Management Act, which requires agencies to maintain adequate IT security in both new and existing IT systems.
According to the report, only half of the 24 federal government departments meet the minimum criteria for compliance with FISMA standards.
In its address to Congress this week, the OMB urged agencies to be proactive and spend budget money now to improve security of IT systems, rather than upgrading legacy systems and worrying about security later. The OMB said senior agency officials in government departments will be held accountable in the future if systems fail to comply with minimum security standards.
Eric Hemmendinger, director of security research at Aberdeen Group, said the critical report is likely the result of heavy lobbying in Washington, D.C. by private security firms in recent years.
"If I was to take the cynical approach, I'd say that the lobbying by private firms is starting to pay off," Hemmendinger told the E-Commerce Times. "These firms represent security vendors who realize that federal government security for the most part is woefully inadequate."
Hemmendinger added that the OMB essentially is embarking on a public relations campaign to raise the level of awareness about the need to improve security in agency IT systems. "This is no mandate to spend money to upgrade government security," he said. "Rather, it is a communications campaign run by the Bush White House.
"By creating awareness, the OMB has shown that security is on the radar and government departments need to keep it in mind," he added.
Expressing some skepticism about the process, Hemmendinger also noted that placing IT security "on the radar" should please the lobbying fraternity, as it does not hurt to have good relations with the Bush White House in an election year.
Due to the reporting requirements for FISMA, the OMB now has three years of benchmarking data to assess progress in IT security and suggest improvements.
Proactive Security Management
For his part, Yankee Group senior analyst Eric Ogren said proactive management of security needs is vital in both the enterprise and government sectors.
"Security teams that once reacted to security incidents now are proactively addressing network security throughout the life cycle, from vulnerability discovery all the way to confirmation of a deployed correction," Ogren told the E-Commerce Times.
Opportunities exist for private companies to take advantage of the need to more proactively secure government IT systems, particularly through outsourced managed security and vulnerability services.
The Yankee Group expects the managed security market will swell to nearly $190 million by 2006, he said.