President Bush's proposed budget for fiscal 2009 includes $7.3 billion for cybersecurity efforts -- a 9.8 percent increase from last year and a 73 percent increase from fiscal 2004.
According to documents issued by the Office of Management and Budget, five agencies currently rate unsatisfactory in cybersecurity efforts, based on reports from inspectors general. The Defense Department is still undergoing an audit.
Federal agencies submitted planned IT security spending to OMB as part of their budget requests. On average, agencies planned to spend 10.3 percent more on their IT security efforts in fiscal 2009, compared to the prior year. The highest increase -- 129.7 percent -- came from the Transportation Department, which earmarked $765 million in cybersecurity. Defense aims to spend $4 billion on cybersecurity efforts in fiscal 2009, a 3.4 percent increase over the enacted fiscal 2008 while the president's budget proposed $404 million in IT security funds for the Homeland Security Department, a 5 percent increase.
These funds are separate from the $294 million in the DHS budget that will go to cross-government cybersecurity efforts -- most notably the continued deployment of the Einstein system, an automated process for collecting and analyzing computer security information across civilian agencies to protect against cyberthreats and intrusions.
"[Agencies'] policies are supposed to ensure cybersecurity and privacy is thought about from the beginning," said Karen Evans, OMB's e-government and information technology administrator, during a Thursday briefing on the IT budget. "The percent of security spending is not the same for everyone, but varies" according to the circumstances of the agencies, she added.
For example, Transportation moved into a new building, and so requested a boost in funds to support the secure transition of its IT infrastructure, while the Army Corps of Engineers plans to reduce its cybersecurity spending by 40 percent due to a competitive sourcing initiative that led to the outsourcing of all IT services.
Funds allocated to IT are subject to change in March, Evans said, when OMB makes necessary budget adjustments.
As far as the current status of cybersecurity efforts, five agencies rated unsatisfactory in the latest IG audits for compliance with the 2002 Federal Information Security Management Act. All seek cybersecurity funding increases for fiscal 2009:
In the case of VA, only 35 percent of contingency plans had been tested at the time of its first-quarter fiscal 2008 FISMA audit. Also by that date, only 20 percent of NRC's systems were certified and accredited, and only 15 percent of its contingency plans tested.
Evans said that poor marks in cybersecurity will put agencies' programs on OMB's high-risk list in fiscal 2009, which means more stringent management and performance oversight.
"VA has a poor certification and accreditation process, [and] cybersecurity continues to be an issue, so the whole portfolio is on the list," she said.
Defense has yet to complete its FISMA audit, due to disagreement between the chief information officer, John Grimes, and the inspector general about how to rate programs, Evans said. "[Defense] wants it to be of value. There's a tension there right now, which we think is healthy."