The body of this report discusses the steps taken by OMB and Federal agencies to implement the Government Information Security Reform Act ("Security Act") as well as additional efforts OMB and the agencies have taken to improve Federal information technology (IT) security. This report also lists six common government-wide security weaknesses OMB identified through review of agency Security Act reports.
To appropriately address these weaknesses, Federal agencies need to: 1) greatly increase the degree of senior management attention to security; 2) establish measures of performance to ensure senior agency management can evaluate the performance of officials with security responsibilities; 3) improve security education and awareness; 4) fully integrate security into the capital planning and investment control process; 5) ensure that contractor services are adequately secure; and 6) improve their ability to detect, report, and share information on vulnerabilities.
To ensure that security is addressed throughout the budget process, OMB directed agencies to: 1) report security costs for their IT investments; 2) document in their business cases that adequate security controls have been incorporated into the life cycle planning of each IT investment; 3) reflect the agency's security priorities as reported in their corrective action plans; and 4) tie their corrective action plans for an IT investment directly to the business case for that investment. Additionally, OMB will require large agencies to undergo a Project Matrix review to ensure a common methodology to identify their critical assets and interdependencies.