Return on Investment
Situation The Administration has taken unprecedented steps to reform the budget process by establishing a systematic, consistent process for developing program performance ratings and then using that information to make budget decisions. The Office of Management and Budget (OMB) has also emphasized the IT security and enterprise architecture related requirements of the Circular A-11 Section 300. Budgets are being withheld for those business cases not adequately addressing these requirements. The implementation of agency strategic plans hinge on the quality of the 300s and the importance of monitoring the performance of its IT security and architecture budget allocations.
Analysis IT security managers are now an integral resource in the agency's capital planning and investment process (CPIC). Security managers must document security requirements within the system life cycle development for IT procurements as well as the performance of plans of actions and milestones and other requirements for CPIC. Through this effort IT security managers must learn new financial skills to assist the agencies obtain the funds required to meet their missions.
Solution System 1 was chosen by the National Institute of Standards and Technology (NIST) to provide research information on the agency's methods of determining Return on Security Investment as well as their overall approaches on CPIC. System 1 also interacted with OMB and the Government Accounting Office (GAO) to determine best practices from the research. From OMB guidance, best practices, industry input and NIST management a workshop is being developed by System 1 and a partner to assist agencies integrate IT security into their capital planning and investment processes. Some areas of assistance include the CPIC governance process, FISMA Reporting Instructions, Security Investment Life cycle Planning, Business Case Analysis, Alternatives of Analysis, and prioritization of corrective actions.