U.S. agencies earn overall grade of D for computer security

Computerworld - For the fourth year in a row, most federal agencies have received low grades for failing to protect their computer networks from hackers and other cyberterrorists, according to a computer security report card issued today by the House Government Reform Subcommittee on Technology. The subcommittee released its report today.
The Department of Homeland Security was one of eight agencies that received a grade of F for its network security efforts. In 2002, 13 agencies received a failing grade.
DHS officials couldn't be reached for comment this afternoon.
The U.S. Department of Justice, as well as the departments of Energy, Health and Human Services, Interior, Agriculture, Housing and Urban Development, and State also received failing grades. On the other end of the scale, two agencies received an A or A- score: the Nuclear Regulatory Commission and the National Science Foundation. The Social Security Administration received a B+, and the Department of Labor got a B.
The report card graded agencies on their progress in complying with the Federal Information Security Act of 2002, which requires federal agencies to submit data on their computer security programs to the Office of Management and Budget every September.
"Obviously, the fact that the federal government has moved from an overall score of F to D and 14 agencies showed improvement in their scores is a positive sign," said Bob Dix, the subcommittee's staff director. "However, Chairman [Adam] Putnam is still disappointed that there is not more progress being made, faster."
Dix said the fact that there are still eight agencies with failing grades is troubling to Putnam, who believes the issue hasn't been given the priority it deserves.
"While some of the agencies provided evidence of strong support by virtue of the strong scores they got, others continue to have failing grades, which is evidence that they haven't given the proper attention to this issue," Dix said.
He said that Putnam (R.-Fla.) is convinced that the federal government needs to be a leader in cybersecurity issues and needs to set the standard for the private sector. "We are just not doing enough to achieve the results that we must achieve," Dix said.
But Rich Caliari, directory of product strategy at Harris Corp.'s STAT network security unit in Melbourne, Fla., said there was a lot of positive movement from 2002 to this year. He said some of the agencies that earned low grades have recently purchased technologies designed to help them improve their network security.
"For most departments, this will be a three- to five-year project,"Caliari said.