The federal computer security report card: Lessons from Uncle Sam

Computerworld - For the fourth year in a row, the federal government released its "Report Card on Computer Security at Federal Departments and Agencies" (download PDF). The average grade for fiscal 2003 was a D (65). The overall average grade in 2002 was an F (55); in 2001, it was also an F (53). Since 2000 was the first year that any measurements were taken, that year's score was "Incomplete" with a letter grade of D-.

Looking at the situation through the lens of an eternal optimist (and realist), maybe, just maybe, agency heads, the Office of Management and Budget and Congress will start looking for ways to get these agencies where they should be. An empire in the age of technology can and should be able to get passing grades in information security.

As an alternative to looking at the trends and drawing the conclusion that things aren't really that bad since, after all, the overall score is improving, let's examine instead the underlying factors that led to these scores. Then we can see why our dear Uncle Sam needs some help, and we can offer some suggestions.

Through this analysis, it will become clear that the issues are related to establishing, maintaining and measuring enterprise security management strategy as part of the systems development life cycle so that no government agency or company ever has to settle for a D.

Why the bad grades?

To answer that, we need to examine the factors upon which the scorecard is based. These include certification and accreditation processes and recognize subtle distinctions in the categories of IT systems, namely general support systems and major applications (a.k.a. mission-critical applications), and realize that there are still many legacy systems long overdue for retirement. Ready?

First, here's the process, which sounds simple. The National Institute of Standards and Technology (NIST), a component of the U.S. Department of Commerce, publishes and updates its policy guidance for information security. Federal agency security chiefs are supposed to see that these guidelines are followed within their agencies. The problem is that the NIST guidance isn't very concise regarding implementation. It also isn't an operational procedure manual. Rather, to a great extent, it's a higher-level management policy document. This creates a gap between knowing what to do and how to do it. Yet the scorecard rates an agency on how well it implements the guidelines.

Then there's the reporting scheme, which is handled by each agency's own Office of the Inspector General. These offices are designed as semi-autonomous bodies operating within and under the jurisdiction of each agency head.