The following item was posted by Gautham Nagesh

Because June marks the culmination of several initiatives to standardize information technology practices to improve information security, Karen Evans, administrator of the Office of Electronic Government and Information Technology at the Office of Management and Budget, took a moment on Tuesday to discuss the big picture at a conference sponsored by 1105 Government Information Group in McLean, Va.

Evans said the upcoming deadlines for agencies to comply with several IT initiatives was a deliberate choice, designed to help tie together the separate initiatives into one coherent security strategy across the government. She discussed the Trusted Internet Connection initiative, the shift to the newest Internet protocol called IPv6, the issuance of HSPD-12 credentials and the Federal Desktop Core Configuration, which requires users operating with a Microsoft desktop environment to adopt a standard configuration for the desktop.

After years of calling for an alternative to the Federal Information Security Management Act of 2002, one may have been proposed -- or at least the start of one. As Nextgov reported today, Rep. Jim Langevin, D-R.I., introduced the 2008 Homeland Security Network Defense and Accountability Act. generally, the knock against FISMA is that it measures processes not results. For example, good FISMA compliance requires providing training for "employees with significant security responsibilities," but nowhere does it require the agency to test how much the employees learned or retained form the training. With FISMA, agencies aren't sure how good or bad their security vulnerabilities are because FISMA doesn't test for them.

Langevin's bill takes a stab at measuring actual security results, at least for the Homeland Security Department, and, for what some security experts hope, could be governmentwide. The key to the bill is requiring DHS to test if it can successfully defend its networks against known cyberattacks and to conduct vulnerability testing. The bill would have DHS measure what is actually happening on the ground and defending itself against what are real threats.

The following item was posted by Jill R. Aitoro.

The Office of Management and Budget has long touted the value of transparency in government. So explain this:

OMB released a report today on progress in implementation of Homeland Security Presidential Directive 12, or HSPD 12, which requires agencies to issue biometrically enabled credentials to all employees and contractors to replace standard flash badges. In that report, the total number of employees and contractors that will receive the badges were more than double what OMB reported only six months ago. OMB now reports that 4.3 million employees and 1.2 million contractors require new cards, compared to 1.9 million federal employees and 591,358 contractors, as reported in October 2007.

That change likely explains another anomaly. Ninety-seven percent of federal employees and 79 percent of contractors could not have completed the required background checks, as reported in October, because the latest report states that only 59 percent and 42 percent respectively have done so.

What’s the explanation for such a drastic difference? OMB opted not to provide one in a briefing on the latest numbers; in fact, the change in the numbers wasn’t even mentioned. When asked later, a spokeswoman attributed the undercount to faulty data. “We have better and more complete data now than we had previously,” she said.

In my industry/government conference wanderings, I stopped by Orlando this month for the annual IPIC conference. This is usually a "must attend" event in government and industry circles and has been around so long that few can recall what "IPIC" stands for. (Here's a hint: The first two letters stand for "Information Processing.")

So what was a hot topic for the government folks in attendance? Well, no surprise, it is the upcoming transition. For political appointees, it's all about their life after government, with only a little over 300 days left in office. For the careerists -- many of whom have never been through one before -- there was some apprehension about what will face them.

In the midst of that uncertainty comes a request from the Industry Advisory Council (IAC) leadership to several career government leaders to co-chair IAC's Transition Report effort. What is the drawback to such an invite? The industry co-chair is Mark Forman, now at KPMG and the first e-government czar at the Office of Management and Budget. Mark is a wonderful person -- bright, hard working, considerate. I think very highly of him. But how exactly would a career SESer (Senior Executive Service) explain his or her pairing with a representative of the previous administration to his or her new political boss? Even Sen. John McCain campaign officials are thinking hard about how and where to use President Bush in the upcoming election campaign. It seems that "fundraising" and "securing the conservative base" are the main tasks at present.

But let's keep a watchful eye on what careerist lands this plum assignment from IAC. I will organize the pool on where that person lands -- after the first 120 days under a new political regime (that being the so called "cooling off" period when an SESer cannot be moved). I hope there are openings at Unisys or InterImage.

Amazingly, it appears that the risk of contract fraud, waste and abuse doesn't exist overseas, only here in the United States. At least according to Office of Management and Budget, and the White House.

A story in the Washington Post notes that a new rule that requires U.S. contractors to report fraud, waste and abuse (FW&A) they find while performing work provided an exemption to those contractors doing work overseas.

So, the only conclusion one can reach is that OMB doesn't think there is any risk of FW&A in overseas contracts, or that it is perfectly OK for U.S. contractors to ignore (or engage in?) FW&A overseas.

So, which is it?

The Government Accountability Office recently reiterated its designation of information security as a governmentwide “high-risk issue” in its report, Information Security: Protecting Personally Identifiable Information. The high-risk designation for information security in the federal government has been included in GAO reports to Congress each year since 1997. Along with its own audits, GAO’s most recent high-risk assessment was based on consideration of annual reporting by federal agencies of their own assessments of risk, including certain material risks reported regarding information security.

Consequences of real and perceived inadequacies in information security policies and controls

Under what circumstances would U.S. consumers confidently continue to share their data with companies that self report under Sarbanes-Oxley that their operations put customer data at high risk? Frankly, it is hard to imagine the likelihood that such companies could easily maintain the continuing trust and confidence of customers or shareholders without significant costs. In fact, Larry Ponemon, chairman of The Ponemon Institute, has reported that U.S. businesses have seen a steady exodus of customers, a reluctance of some customers to share data and increased costs, including from lost business opportunities, following disclosure of data breaches at their companies. Should we expect the reactions of U.S. citizens to be any different in the federal space? It seems unlikely.

Last week the Government Accountability Office placed the Census Bureau’s 2010 census effort on its high risk list. As I have noted elsewhere on this blog, this is a case of risk management JTL – Just Too Late. The GAO really needs to change the name of its High Risk List to the Very Big Problem List, since nearly every one of the programs on its list is one in serious trouble. As highlighted by Census Bureau Director Steve Murdock in relationship to the issues that landed it on the GAO High Risk List, “I cannot overemphasize the seriousness of this problem." (My emphasis.)

If the GAO really wants to do some real good, it needs to make a clear distinction between projects or programs in trouble and those headed for trouble.

Speaking of High Risk Lists, isn’t it about time for the fiscal 2008 first quarter OMB High Risk List to be published? I am really curious to see whether the fiscal 2007 fourth quarter improvement rate has continued.

The idea that government should not be in the business of business was first articulated by the Bureau of the Budget during the Eisenhower administration in the 1950s. BOB was the predecessor to the Office of Management and Budget, which was created in 1970 during the Nixon administration.

Government should not be in the business of business. What this principle means is that there are broad areas of business activity that should lie outside the domain of government effort, e.g., providing food service, manufacturing, advertising, and offering medical services.

When Ronald Reagan took office in 1981, one of his top priorities was to shrink government. He believed that many of the activities carried out by civil servants could best be executed by the private sector. So he instructed the Office of Federal Procurement Policy (OFPP) to aggressively implement OMB Circular A-76, a government directive geared toward privatizing government activities.

When the Congress attempts to regulate behavior or dictate outcomes within or beyond the republic, it has few effective tools for direct control. Making an activity illegal does not stop the activity; it just changes the risk-reward calculus for anyone contemplating such an act. Rewarding certain economic choices with favorable tax treatment nudges the economy in certain directions (not always those wished for by the tax tinkerers).

The Federal Information Security Management Act (FISMA) is a wonderful example of Congress and the executive branch using blunt tools to bludgeon reality into a new path. The problem is clear: FedWorld doesn’t do a world class job of protecting sensitive information on either side of the Potomac. But the congressional response was to institute annual reporting, to empower (but not fund) inspectors general to provide independent assessments of the basis of such reports and to empower (but not fund) the National Institute of Standards and Technology (NIST) to develop standards for non-classified information.

On a scale of importance, where would you rank the following: taxpayer personal information, plans for weapons systems, pre-decisional legal or enforcement deliberations, names of informants in this or other countries, results of drug trials, pre-award procurement information, blueprints of government facilities, schedules of surprise enforcement actions (immigration, food safety, etc.), unpublished minutes of the Federal Reserve Board Open Market Committee, and official travel schedules of government officials in countries with active terrorist cells?

Because I am a government annuitant and a participant in various federal health benefit programs, you can bet I am concerned that the Office of Personnel Management and its contractors maintain the highest standards in protecting personal, banking, and health information about me and my family. But it is clear to me that other government information is worthy of even higher standards of protection.

Apparently, in FedWorld, personal information must be far more important than any other type of data, because protection of personal information appears to be the sole focus of attempts to “fix” the Federal Information Security management Act (FISMA).

Then I remember that none of the other information types vote, so every elected official is elbowing others on the way to the microphone to proclaim his dedication to privacy principles … and the Office of Management and Budget is standing in line at the microphone to announce a new reporting requirement.

Billy Graham used to have a fellow who traveled everywhere with him whose sole responsibility was to detect when the Rev. Graham was getting carried away with himself or his mission and yell "bullsh**." I believe the U.S. government needs just such a person to keep the legislative and executive branches focused on protecting our most precious assets (including information). I would volunteer but the ceaseless shouting would be more than my aged body could stand.

Since retiring from the federal government in 2007, I have watched with a mixture of alarm and amusement as the Office of Management and Budget, Congress, the National Institute of Standards and technology, the inspectors general, the Government Accountability Office and agencies have continued to miss the point of information and mission assurance while enriching consultants and printer manufacturers by producing mountains of increasingly meaningless paperwork.

I intend to bring to readers’ attention various issues I believe deserve more critical thinking than is typically available in the federal enterprise (which I will henceforth call FedWorld).

I also believe:

• Information protection is better than security plans
• Privacy protection is better than privacy plans or impact statements
• Intrusion prevention beats the pants off intrusion detection
• Personnel security has almost nothing to do with HSPD-12
• Cybersecurity is only marginally related to information security
• … and so on.

Please remember my point of view before you comment on something I’ve written by chiding me that the Federal Information Security Management Act (FISMA) has it otherwise, that OMB guidance points in another direction, or that an IG will write me up. I no longer live in FedWorld so those customs and folk beliefs seem quaint.

Recently I had the privilege of talking about computer security at a hearing before two subcommittees of the House Committee on Oversight and Government Reform.

My principal focus was the Bush administration’s new "Cyber Initiative."

On Jan. 8, President Bush issued a new National Security/Homeland Security Directive. This order establishes a comprehensive, national cybersecurity initiative. Little is known publicly about the details of this national security order, because it is still classified. But it shows that information security is receiving serious attention at the highest levels of the executive branch. I believe this is good news.

The order creates an expanded role for the National Security Agency in protecting civilian agency systems. This raises some significant policy questions, such as, "How best can the government maintain and build trust with the private sector to promote computer security?"

For more on this topic, you can read my earlier post.