Agency IT chiefs say they need to see the money

By Christopher J. DorobekGCN StaffInformation security has been widely heralded as the next big issue for government information technology officials to tackle, but analysts and many agencies are saying, 'Show me the money!'Some senior federal IT executives have recommended an emergency appropriation for critical infrastructure protection, following the year 2000 model.'I don't think the budget environment is at a point where we can do the things we want to do,' said Marguerite R. Coffey, chairwoman of the State Department's Critical Infrastructure Protection Governance Board.State chief information officer Fernando Burbano said agencies are working on budgets for fiscal 2002, which makes it difficult to put security measures in place now. Furthermore, he argued, recent denial-of-service attacks and other security breaches have created a window of opportunity in Congress.Yet despite the increased attention given to critical infrastructure protection, a new study conducted by Input Inc., a market research firm in Vienna, Va., predicts only moderate growth in agency IT security spending.The survey, Federal IT Security Market View, indicates that the market for IT security products and services will grow by 5 percent annually. IT security spending is expected to reach almost $1 billion by 2004.Officials from the Office of Management and Budget, speaking at an IT security conference last week, said OMB is generally opposed to centrally controlled funds, preferring that agencies build IT security funding into their budgets. OMB policy analyst Margaret Evans said the year 2000 supplemental fund was difficult to manage.But managing the funds might not be an issue at all, Evans said. Congress has been less than receptive to the administration's funding requests for critical infrastructure protection.Last year, lawmakers rejected outright a request for supplemental funds, and the House this year has given the administration's $9 million request for fiscal 2000 a cold shoulder.'There is not a uniform appreciation to be found,' she said. 'Our position on the criticality of this issue is well-known.'In any case, money cannot be used as a crutch for agencies, OMB officials said. Security has always been a requirement for information systems, and IT security should be a part of budgeted system lifecycle costs, they said.The Computer Security Act has been around for 12 years, OMB policy analyst Glenn Schlarman said at the Critical Infrastructure Protection Day conference sponsored by the CIO Council's Security, Privacy and Critical Infrastructure Committee.IT security should be woven into the program, and budgets must account for the entire lifecycle costs of a system, Schlarman said. But agencies have not done all they can do, Schlarman said. Few agencies have tied performance goals to security, he said.His comments echoed guidance from OMB director Jacob J. Lew, issued late last month, that makes funding for IT projects conditional on adequate security.'The most effective way to protect information and systems is to incorporate security into the architecture of each. This approach ensures that security supports agency business operations'thus facilitating the operations'and that plans to fund and manage security are built into lifecycle budgets for information systems,' Lew said.'In general, OMB will consider new or continued funding only for those system investments that satisfy [the OMB criteria], and will consider funding information technology investments only upon demonstration that existing agency systems meet these criteria,' he said.Many agencies have not given IT security as much attention as they should and have used security funds for other projects, OMB officials acknowledged. Agencies must improve assessments of lifecycle costs, OMB officials said.Part of the problem is the budget process. Evans said OMB has been spearheading a cross-agency effort to fund security projects, but congressional appropriations committees are leery of giving up control.Lawmakers have recognized the possible need for reorganization to track crosscutting concerns such as IT security. The Senate Special Committee on the Year 2000 Technology Problem, in its final report issued last month, noted that funding for critical infrastructure protection is spread over 15 agencies and overseen by nine committees.'This presents numerous challenges to effective congressional oversight and policy initiatives,' the report said. 'The Senate must examine the congressional structure and its efficacy for addressing critical infrastructure protection and future IT issues.'Meanwhile, President Clinton has told agencies to step up efforts to ensure critical infrastructure protection in the wake of several denial-of-service attacks.'The president said he told White House chief of staff John Podesta to coordinate a review of agency vulnerabilities and report back by April 1.'Within legal and administrative limits, attention should also be paid to contractors providing services,' Clinton said.'These Internet disruptions highlight how important computer networks have become in our daily lives, and how vulnerabilities can create risks for all'including the federal government,' Clinton said in a memo.Clinton's memo is online at . For the OMB guidance, go to .