Computerworld - The overall security of federal government computer systems garnered only a D+ average in the 2004 security report card released last week by the House Government Reform Committee. A year earlier, the average grade was a D.
At the same time, a survey of 30 federal chief information security officers (CISO) found a need for "significant" improvements in the reform committee's evaluation criteria.
Seven of the 24 agencies graded, including the departments of Homeland Security, Energy, and Health and Human Services, scored an F for the second consecutive year.
Rep. Tom Davis (R-Va.), chairman of the Government Reform Committee, said at a press conference that government agencies are generally "moving in the right direction" on security. But the 2004 grades also contain significant bad news, Davis added. "We need to move faster, and I hope it won't take some kind of cyber [attack] to crystallize everybody," he said.
Among the agencies showing the most progress last year were the Department of Transportation, which improved to an A- from a D+ in 2003; the Department of Justice, which received a B- after failing a year earlier; and the Department of the Interior, which was given a C+ after getting an F in 2003.
The annual Federal Computer Security Report Card is based on evaluations as defined in the Federal Information Security Management Act (FISMA) of 2002. The evaluations are compiled by the committee based on information provided by each agency's inspector general.
The key value of the report card is in learning what actually works to improve security, said Alan Paller, research director at SANS Institute, a Bethesda, Md.-based training company. "A large number of grades went down, a few went up—a lot. What allowed those who increased to do so?" he asked.
New Tools Help
George Bonina, director of IT security at the Environmental Protection Agency, said that much of his agency's improved showing stemmed from the organization's use of automated tools for compliance verification and monitoring.
In a comment relayed via a department spokeswoman, Vance Hitch, CIO at the Justice Department, said that "organizational enhancements and development of new tools and skills" led to the dramatic improvement shown by the agency in 2004.
The survey of CISOs, conducted by Ashburn, Va.-based Telos Corp., gave a C grade to the Federal Computer Security Report Card itself.
According to 60% of the CISOs surveyed, the report card provides useful insight into their security preparedness. But the same amount questioned the report card's real impact, noting that agency funding for IT security was not affected by bad grades.
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
