Federal Chief Information Officers Council Releases Security Self-Assessment Tool
December 8, 2000
Contacts: Eleni Martin (202) 501-1231
Marianne Swanson, NIST
Washington, DC --The Chief Information Officers (CIO) Council today released the first version of the Federal Information Technology Security Assessment Framework (http://www.cio.gov). This Framework provides a methodology for agencies to determine the security status of their assets, programs, as well as the entire agency. The Framework will also assist agencies in prioritizing efforts for improvement.
"This Framework gives the Federal government a standard by which to measure itself and it's a start to improving security programs across government," said Jim Flyzik, Vice-Chair of the CIO Council. "I'm very pleased with the significant collaboration done by the participants."
The importance of assessing the effectiveness of programs and security controls is key to achieving and maintaining adequate security. The recently enacted Government Information Security Reform Act, part of the Defense Authorization Act (PL. 106-398), requires annual agency programs reviews and Inspector General Audits of information security programs and practices. This framework will assist agencies in performing these required reviews.
Brian Burns and John Gilligan, Deputy CIOs of HHS and Air Force, respectively, led the work on this effort with the Security Committee of the Council. Burns stated that "This Framework is intended to be a foundation for a more detailed and complete set of tools that will include a series of questionnaires on specific areas." The companion self-assessment questionnaire is being developed by NIST and will be issued early next year.
The Framework builds on existing mandates to identify an organization's security readiness. It was developed by the CIO Council, the Office of Management and Budget (OMB), and the National Institute of Standards and Technology, with the input of a number of federal agencies and in close cooperation with the General Accounting Office (GAO). It is based upon requirements found in OMB and GAO security policies and NIST recommended security practices. In a letter accompanying the release of the framework, GAO indicates: "We commend the federal Chief Information Officers Council for encouraging agencies to routinely evaluate the status of their information security programs and for providing this Security Assessment Framework as a tool to facilitate such efforts. Only by measuring progress and evaluating the effectiveness of policies and controls can management determine where improvements are needed."
The Chief Information Officers (CIO) Council was established by Executive Order 13011, Federal Information Technology, on July 16, 1996, to serve as the principal interagency forum to improve the management of information technology in the Federal Government.