Incorporating and Funding Security in Information Systems Investments

February 28, 2000

M-00-07

MEMORANDUM FOR THE HEADS OF DEPARTMENTS AND AGENCIES

From: Jacob J. Lew
Director

Subject: Incorporating and Funding Security in Information Systems Investments

This memorandum reminds agencies of the Office of Management and Budget's (OMB) principles for incorporating and funding security as part of agency information technology systems and architectures and of the decision criteria that will be used to evaluate security for information systems investments. The principles and decision criteria are designed to highlight our existing policy and thereby foster improved compliance with existing security obligations; this memorandum does not constitute new security policy. OMB plans to use the principles as part of the FY 2002 budget process to determine whether an agency's information systems investments include adequate security plans.

Protecting the information and systems that the Federal government depends on is important as agencies increasingly rely on new technology. Agencies are working to preserve the integrity, reliability, availability, and confidentiality of important information while maintaining their information systems. The most effective way to protect information and systems is to incorporate security into the architecture of each. This approach ensures that security supports agency business operations, thus facilitating those operations, and that plans to fund and manage security are built into life-cycle budgets for information systems.

This memorandum is written pursuant to the Information Technology Management Reform Act (the Clinger-Cohen Act) which directs OMB to develop, as part of the budget process, a mechanism to analyze, track, and evaluate the risks and results of major capital investments made by an executive agency for information systems. Additionally, the Clinger-Cohen Act calls for OMB to issue clear and concise direction to ensure that the information security policies, processes, and practices of the agencies are adequate. These criteria will be incorporated into future revisions of OMB Circular A-130 ("Management of Federal Information Resources") and should be used in conjunction with previous OMB guidance on sound capital planning and investment control in OMB Memorandum 97-02, "Funding Information Systems Investments"; OMB Memorandum 97-16, "Information Technology Architectures"; and subsequent updates.

Security programs and controls implemented under this memorandum should be consistent with the Computer Security Act, the Paperwork Reduction Act, the Clinger-Cohen Act, and OMB Circular A-130. They should also be consistent with security guidance issued by the National Institute of Standards and Technology (NIST). Security controls for national security telecommunications and information systems should be implemented in accordance with appropriate national security directives.

Principles

The principles outlined below will support more effective agency implementation of both agency computer security and critical information infrastructure protection programs. In terms of Federal information systems, critical infrastructure protection starts with an effort to prioritize key systems (e.g., those that are most critical to agency operations). Once systems are prioritized, agencies apply OMB policies and, for non-national security applications, NIST guidance to achieve adequate security commensurate with the level of risk and magnitude of likely harm.

Agencies should develop security programs and incorporate security and privacy into information systems with attention to the following principles:

· Effective security is an essential element of all information systems.

· Effective privacy protections are essential to all information systems, especially those that contain substantial amounts of personally identifiable information. The use of new information technologies should sustain, and not erode, the privacy protections provided in all statutes and policies relating to the collection, use, and disclosure of personal information.

· The increase in efficiency and effectiveness that flows from the use of interconnected computers and networks has been accompanied by increased risks and potential magnitude of loss. The protection of Federal computer resources must be commensurate with the risk of harm resulting from any misuse or unauthorized access to such systems and the information flowing through them.

· Security risks and incidents must be managed in a way that complements and does not unnecessarily impede agency business operations. By understanding risks and implementing an appropriate level of cost-effective controls, agencies can reduce risk and potential loss significantly.

· A strategy to manage security is essential. Such a strategy should be based on an ongoing cycle of risk management and should be developed in coordination with and implemented by agency program officials. It should identify significant risks, clearly establish responsibility for reducing them, and ensure that risk management remains effective over time.

· Agency program officials must understand the risk to systems under their control and determine the acceptable level of risk, ensure that adequate security is maintained to support and assist the programs under their control, and ensure that security controls comport with program needs and appropriately accommodate operational necessities. In addition, program officials should work in conjunction with Chief Information Officers and other appropriate agency officials so that security measures support agency information architectures.

Policy

Security should be built into and funded as part of the system architecture. Agencies should make security's role explicit in information technology investments and capital programming. These actions are entirely consistent with and build upon the principles outlined in OMB Memorandum 97-02. Accordingly, investments in the development of new or the continued operation of existing information systems, both general support systems and major applications, proposed for funding in the President's budget must:

1. Be tied to the agency's information architecture. Proposals should demonstrate that the security controls for components, applications, and systems are consistent with and an integral part of the information technology architecture of the agency.

2. Be well-planned, by:

a) Demonstrating that the costs of security controls are understood and are explicitly incorporated in the life-cycle planning of the overall system in a manner consistent with OMB guidance for capital programming.

b) Incorporating a security plan that discusses:

· the rules of behavior for the system and the consequences for violating those rules;
· personnel and technical controls for the system;
· methods for identifying, appropriately limiting, and controlling interconnections with other systems and specific ways such limits will be monitored and managed;
· procedures for the on-going training of individuals that are permitted access to the system;
· procedures for the on-going monitoring of the effectiveness of security controls;
· procedures for reporting and sharing with appropriate agency and government authorities indications of attempted and successful intrusions into agency systems;
· provisions for the continuity of support in the event of system disruption or failure.

3. Manage risks, by:

a) Demonstrating specific methods used to ensure that risks and the potential for loss are understood and continually assessed, that steps are taken to maintain risk at an acceptable level, and that procedures are in place to ensure that controls are implemented effectively and remain effective over time.

b) Demonstrating specific methods used to ensure that the security controls are commensurate with the risk and magnitude of harm that may result from the loss, misuse, or unauthorized access to or modification of the system itself or the information it manages.

c) Identifying additional security controls that are necessary to minimize risks to and potential loss from those systems that promote or permit public access, other externally accessible systems, and those systems that are interconnected with systems over which program officials have little or no control.

4. Protect privacy and confidentiality, by:

a) Deploying effective security controls and authentication tools consistent with the protection of privacy, such as public-key based digital signatures, for those systems that promote or permit public access.

b) Ensuring that the handling of personal information is consistent with relevant government-wide and agency policies, such as privacy statements on the agency's web sites.

5. Account for departures from NIST Guidance. For non-national security applications, to ensure the use of risk-based cost-effective security controls, describe each occasion when employing standards and guidance that are more stringent than those promulgated by the National Institute for Standards and Technology.

In general, OMB will consider new or continued funding only for those system investments that satisfy these criteria and will consider funding information technology investments only upon demonstration that existing agency systems meet these criteria. Agencies should begin now to identify any existing systems that do not meet these decision criteria. They should then work with their OMB representatives to arrive at a reasonable process and timetable to bring such systems into compliance. Agencies should begin with externally accessible systems and those interconnected systems that are critical to agency operations. OMB staff are available to work with you if you or your staff have questions or need further assistance in meeting these requirements.