Improvement in agency information security practices are sorely needed, as was demonstrated in an analysis of audits that found that 22 of the largest Federal agencies were not adequately protecting critical Federal operations and assets from computer-based attacks. The following six areas of management and general control weaknesses were repeatedly highlighted in these reviews: (1)entitywide security program planning and management; (2) access controls; (3) application software development and change controls; (4)segregation of duties; (5) system software controls; and (6) service continuity controls. Computer security can only work within agencies if a strong management framework is in place. S. 1993, the Government Information Security Act of 1999, incorporates the basic tenets of good security management. The bill proposes improvements in three significant areas: (1) following a risk-based approach to information security; (2) performing independent annual audits of security controls; and (3) approaching security from a government-wide perspective taking into account the varying information security needs of both national security and civilian agency operations. While S. 1993 would update the current legislative framework for computer security, two important considerations not addressed in the bill -- the need for better-defined security control standards and the need to clarify and strengthen leadership for information security across government -- are critical to strengthening security practices and oversight. For better-defined security control standards, a set of data classifications could be used by all Federal agencies to categorize the criticality and sensitivity of the data they generate and maintain. For leadership in information security, the Federal Government must have the support of top leaders and more clearly defined roles for those organizations that support government-wide initiatives. 9 footnotes