Most of those testifying at the hearing spoke of increasing attacks, including the CIO of the Nuclear Regulatory Commission, Darren Ash, who noted that “computer viruses proliferate, and unscrupulous individuals are devising more clever ways to entice users, including federal employees, to open damaging attachments.”
Karen Evans, OMB’s e-gov and IT administrator acknowledged the challenges facing agencies, but insisted that since passage of FISMA in 2002, the federal government has come a long way.
For example, in fiscal 2007, OMB met a milestone by certifying and accrediting over 90 percent of all information systems, Evans said, explaining that the process includes a comprehensive assessment of the management, operational, and technical security controls and, an official management decision given by a senior agency official to authorize operation of an information system.
Evans said that in the next year OMB intends to focus information security and privacy management attention on achieving a 100 percent accreditation rate for all operational systems as well as the following: properly identifying and providing oversight of contractor systems; reducing or eliminating systems in the FISMA inventory uncategorized by risk impact level; improving agency identification and reporting of security incidents; increasing general and job-specific training for federal employees and contractors; maintaining appropriate privacy documentation for 90 percent of applicable systems; and, completing activities related to privacy recommendations.
