Q&A: Rep. Davis on latest federal IT security report card

Computerworld - House Government Reform Committee Chairman Tom Davis (R-Va.) last week released the 2004 federal government computer security scorecard, which gave federal agencies an overall D+ average (see story). Several agencies, including the Department of Homeland Security and the Department of Energy, scored F's for the second year running. Others, such as the Department of Transportation, showed big improvements.
In this interview with Computerworld, Davis talked about the government's performance on the score card and warned that more mandates could be on the way if federal agencies don't fix their security issues soon.
What are your conclusions about the overall performance of government agencies? I think it is improving, but it's not improving fast enough at this point. The overall agency scores rose by 2.5 points, but they still scored a D+. We just need to continue to give this focus, and hopefully we won't have some kind of cyberattack or cyber-Pearl Harbor. We have to be inspired by that to try and stay ahead of the curve.
Why are some agencies faring so well while others appear to be struggling? Leadership. It's about leadership. It basically goes to the CIO and the agency heads and their ability to coordinate on this. They have to get this focused. They need to get a plan, [and] they need to execute on it. Some agencies have put the resources into it, and others haven't. We have independently verified these scores. Some have still a long way to go.
What's the incentive to improve when there are no funding or other repercussions for bad grades? I don't know if you want to punish people by withholding funding. That makes it even tougher for them to meet their goals. But I think there may be an embarrassment factor. If you want to have career advancement and you come off an agency that has got a bad FISMA [Federal Information Security Management Act] grade, it probably isn't going to help you move to the next level. I think this is part of the evaluation process. Eventually, I think there will be a funding attachment. These score cards are fairly new, and we are trying to get an appropriations buy-in.

Many of the recommended security controls for federal agencies will become mandated requirements by the end of this year. What impact will that have on the score cards next year. Mandates are better than suggestions, unfortunately. You hate to get to the point where you have to mandate things that need to get done. But I think