Skip the navigation

Federal Agencies Get Poor Grades for Security

But CIOs blast report methodology, value

September 18, 2000 12:00 PM ET

Computerworld - Washington
A congressional subcommittee investigating the ability of federal agencies to protect computer systems from terrorists and hackers last week released its first report card on government information security practices, handing out Fs and Ds to about half of the group.
The results were "very dismal," said Rep. Stephen Horn (R-Calif.), chairman of the Subcommittee on Government Management, Information and Technology. "There is no room for complacency, for the stakes are simply too high."
The report card put federal CIOs, as well as the White House, on the defensive at a subcomittee hearing. No federal agency received an A, and the overall grade for the largest federal agencies and departments was D-.
In response, John Spotila, an administrator at the White House Office of Management and Budget, questioned the committee's grading methodology, the report card's value and its implied conclusion that government systems are sitting ducks for hackers.
"I think the reality is that the agencies have worked very hard to protect the confidentiality of information," said Spotila, who asked how an overall grade could be applied to the federal government's 26,000 separate systems. "What does that tell you about how well the most important things are being done, which systems are done well [and] which systems are not?"
But the General Accounting Office (GAO), the investigative arm of Congress, backed up the subcommittee's findings. "The risks are very high and the breadth of the potential impact very wide," said Joel Willemssen, who heads the GAO's information systems division and testified at last week's hearing.
"Federal CIOs are not asleep at the wheel," said John Gilligan, CIO at the Department of Energy. Gilligan defended the efforts of federal agency information technology leaders to improve security. He also faulted a lack of funding and oversight for governmentwide security programs.
The grades were based on a 29-question survey sent to 54 federal departments and agencies. The questions covered six broad areas, including security planning, the protection of software and systems from unauthorized access and the ability to continue operations in the event of disruptions. The GAO audited the results and released a report claiming that federal agencies have "serious and widespread" security weaknesses.
The departments and agencies that flunked included the Small Business Administration and the departments of Agriculture, Justice, Labor, Interior and Health and Human Services. The Social Security Administration had the group's highest score, attaining a B.
Federal CIOs said improvements will take money. "The reality is that until computer security is fully funded, it will remain much too vulnerable," said Ira Hobbs, deputy CIO at the Department of Agriculture.

Our Commenting Policies