Agencies made progress improving IT security in fiscal
2005, a period that saw the number of reported IT systems
grow by 19 percent from 8,623 to 10,289, according to an
annual Office of Management and Budget report to Congress
on the implementation of the Federal Information Security
Management Act of 2002.
It said an analysis of baseline performance measures
indicated a 32 percent increase in the number of systems
certified and accredited, from 6,607 to 8,735; a 28 percent
increase in systems with tested contingency plans, from
4,886 to 6,230; and modest increases in the quality of
agency certification and accreditation as well as agency
processes for planning, implementation and evaluation of
problems with IT security policies, or POA-and-M processes.
The report said however that uneven implementation of security
measures across the federal government leaves weaknesses and
OMB said it would work with agencies to focus management
attention on the following: adherence to NIST publications
including NIST Special Publication 800-53, “Recommended
Security Controls for Federal Information Systems;”
maintenance of system inventories, security configurations,
contingency plans, and contractor oversight, and continued
improvement in agency certification and accreditation and
POA-and-M processes.
The Departments of Defense, Agriculture, Homeland Security,
the Interior, Transportation, and Treasury all have
inadequate POA-and-M processes, the report said.
It said the administration intends to focus on the implementation
of an information security line of business to reduce cost and
increase security effectiveness across government.
The establishment of centers of excellence for security
training and FISMA reporting would be a first step toward
ensuring greater use of standardized products and services,
OMB said.
It also said the DoD moved from 58 percent to 82 percent of
systems certified and accredited and VA improved from 14
percent to 100 percent.
