Feds See Slight Gain On Security Marks

Computerworld - The federal government last week received an overall grade of C- on an annual IT security report card issued by Rep. Tom Davis (R-Va.). That was a slight improvement from the D+ grades handed out for the two previous years, but eight agencies got failing marks — the same number as last year.

The agencies at the bottom of the report card included the departments of Defense, State, the Interior and the Treasury, as well as the Nuclear Regulatory Commission. It was the second straight F grade for the Defense, State and Interior departments. Meanwhile, the Department of Homeland Security received a D, up one grade from an F a year ago.

Karen Evans, administrator of e-government and IT at the White House Office of Management and Budget, said at a press conference in Herndon, Va., that she was encouraged by the improvement in the overall security grade but not satisfied with the results. “I would not accept a C- on my kids’ report cards,” Evans said. “Average is not good enough.”

The grades are based on reports compiled annually bythe agencies’ inspectors general to comply with the requirements of the Federal Information Security Management Act, which Davis authored. The FISMA reports submitted for 2006 show that more agencies are testing their security controls and contingency plans and that the reporting of security breaches has “increased dramatically,” said Davis, who is the ranking minority member on the House Committee on Oversight and Government Reform.

However, Davis said more improvements need to be made in areas such as secure systems configuration and the development of effective security plans, as well as establishing milestones for measuring the progress of the plans.

Not everyone is convinced, though, that the FISMA-based report card provides a clear picture of the security posture within federal agencies.

Avoiding a Black Eye

Alan Paller, director of research at the SANS Institute in Bethesda, Md., said that although the grades for 2006 appear to show an overall improvement, at least some of the gains likely are the result of “a few more agency [inspectors general] deciding it wasn’t worth it to give a black eye to their departments” by issuing a poor assessment of their security practices.

Paller also pointed to continuing limitations in how agencies are assessed for security readiness. For example, one of the most important contributors to a good FISMA grade is the level of compliance within an agency to hardware and software configuration standards established by its information security team.