Congress rips DHS, DOD for low cybersecurity grades
DHS and DOD pull Fs in annual government assessment
IDG News Service - Members of the U.S. Congress today lectured technology executives at two major security agencies for failing cybersecurity scores, with one congresswoman saying she doesn't feel safe because of the problems.
"What's happening at the two most strategic and sensitive agencies?" said U.S. Rep. Diane Watson, commenting on the F grades given to the Department of Homeland Security and the Department of Defense by the House Government Reform Committee. "Is there incompetence? Is there cronyism?
"I don't feel comfortable that my homeland is secure," Watson added during a committee hearing, a day after the committee released the 2005 cybersecurity scores for 24 major U.S. government agencies.
The DHS and DOD both received F grades for 2005, with DOD declining from a D grade in its 2004 score. Six other agencies, including the departments of State and Energy, also received Fs. Seven agencies received grades of A- or better, with the Department of Labor and the Social Security Administration among five agencies receiving A+ grades. (See five years' worth of scores here.)
Committee Chairman Tom Davis, a Virginia Republican, said improved cybersecurity at federal agencies is "vital" to national security and the U.S. economy. "When it comes to federal IT policy and information security, it is still difficult to get people -- even members of Congress -- engaged," Davis said. "None of us would accept D+ grades on our children's report cards. We can't accept these either."
Technology executives at both agencies said their size, their widely dispersed employees and their varied missions contributed to a complex and quickly changing IT environment. Both agencies said they've made dramatic improvements in recent months.
The DOD deploys networks on the fly for soldiers and sailors, said Robert Lentz, director of information assurance for DOD. "We have very large and very diverse, dynamic organization deployed worldwide," Lentz said. "Things are changing all the time."
Karen Evans, administrator of the White House Office of Management and Budget's Office of E-Government and Information Technology, agreed that large agencies can have a tougher time complying with the Federal Information Security Management Act (FISMA), passed by Congress in 2002. FISMA requires agencies to complete IT inventories, test for security vulnerabilities and develop remediation plans in the event of major attacks or outages.
"It sounds as if you are defending the incompetency of DHS," responded Rep. William Lacy Clay, a Missouri Democrat.
DOD has made several recent improvements, Lentz said. The agency has begun a process to track IT security personnel and security certifications, he said, and it conducted cybersecurity training for 2 million of the 2.6 million DOD military, civilian and contract workers who had access to DOD networks, he said.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts