Federal agencies get a D+ on cybersecurity

Computerworld - Despite some improvements over last year, the overall security of federal government computer systems still merits only a D+ average, with seven of the 24 agencies receiving failing grades in the federal computer security report card released by the House Government Reform Committee yesterday.
The D+ average, a slight improvement over last year's D grade, is an indication that federal agencies are moving in the right direction, said Government Reform Committee Chairman Tom Davis (R-Va.) in a statement yesterday.
"The good news is, the grade for government agencies overall rose 2.5 points last year. The bad news is, the overall grade is a D+," Davis said.
The House committee report coincided with the release of the results from a separate survey in which 30 federal chief information security officers (CISO) gave the House committee's report card itself a C. That survey, conducted by Telos Corp., an Ashburn, Va.-based IT service provider to federal agencies, cited the need for "significant" improvements in the evaluation criteria used to measure government agencies.
The Telos report was based on telephone surveys of 26% of federal agency CISOs, according to the company.
The Federal Computer Security Report Card is issued annually by the Government Reform Committee and is based on security evaluations defined in the Federal Information Security Management Act (FISMA) of 2002. The evaluations are compiled by the committee based on information provided by the inspector general from each agency.
Sixty percent of the CISOs surveyed by Telos said the Federal Report Card provided useful insight into their security preparedness. But they also questioned the real impact of the report card, noting that agency funding for IT security was not affected by bad grades.
"What is the purpose of evaluating and grading if there is no incentive for good performance and no repercussions for poor performance?" said Richard Tracy, the CSO at Telos.
In the survey, federal CISOs expressed concerns about several issues, including a lack of guidance about security requirements, system definitions and the evalution methods used by inspectors general to grade agencies, Tracy said.
"CISOs were not sure how to define the systems they were responsible for reporting on, and in some cases they were not exactly clear what the IG was looking for when the IG came in to do an audit," he said.
Meanwhile, the agencies that showed the most progress in this year's report were the Department of Transportation, which scored a D+ last year and got an A- this year; the Department of Justice, which had a failing