Federal agencies due for information security report cards

Computerworld - U.S. Rep. Tom Davis (R-Va.), ranking member of the House Committee on Oversight and Government Reform, today is scheduled to release the annual federal computer security report card, which grades the performance of the 24 agencies covered by the Federal Information Security Act (FISMA).

He is also expected to announce a series of new incentives designed to improve security at federal agencies, according to a release posted on the committee's Web site.

Among those scheduled to speak at the committee hearing are Karen Evans, de facto federal CIO and administrator of electronic government and IT at the White House's Office of Management and Budget (OMB). Also speaking will be Lisa Schlosser, CIO of the U.S. Department of Housing and Urban Development, and Bobbie Kilberg, president and CEO of the Northern Virginia Technology Council.

The report card, issued by the Government Reform Committee, is based on security evaluations defined in FISMA. The evaluations are compiled by the committee based on information provided to Congress each year by the inspector general from each agency.

Last year, the federal government scored an overall grade of D+ for the second year in a row. Eight of the 24 agencies, including the Departments of Homeland Security, Defense, State, Energy and the Interior, received failing grades. Among the seven agencies that got at least an A- were the U.S. Department of Labor, the Social Security Administration and the Environmental Protection Agency.

Though the grades are generally perceived as an indication of the security readiness of federal agencies, some in the past have questioned its real value.

For instance, a survey of 30 federal chief information security officers in 2005 by Telos Corp., an Ashburn, Va.-based IT service provider to federal agencies, showed a majority asking for significant improvements in the evaluation criteria used to measure security readiness.

Sixty percent of the CISOs surveyed said the federal report card was a useful indicator of their security preparedness. At the same time, they questioned the value of the report card, noting that agency funding for IT security was not affected by bad grades. Federal CISOs in the survey also expressed concerns about a lack of guidance about security requirements, system definitions and the evaluation methods used by inspectors general to grade agencies.