Computerworld
Print Article
Close Window

Federal agencies get a D+ on cybersecurity

Seven of the 24 agencies studied receiving failing grades

Jaikumar Vijayan
 

February 17, 2005 (Computerworld)

Despite some improvements over last year, the overall security of federal government computer systems still merits only a D+ average, with seven of the 24 agencies receiving failing grades in the federal computer security report card released by the House Government Reform Committee yesterday.
The D+ average, a slight improvement over last year's D grade, is an indication that federal agencies are moving in the right direction, said Government Reform Committee Chairman Tom Davis (R-Va.) in a statement yesterday.
"The good news is, the grade for government agencies overall rose 2.5 points last year. The bad news is, the overall grade is a D+," Davis said.
The House committee report coincided with the release of the results from a separate survey in which 30 federal chief information security officers (CISO) gave the House committee's report card itself a C. That survey, conducted by Telos Corp., an Ashburn, Va.-based IT service provider to federal agencies, cited the need for "significant" improvements in the evaluation criteria used to measure government agencies.
The Telos report was based on telephone surveys of 26% of federal agency CISOs, according to the company.
The Federal Computer Security Report Card is issued annually by the Government Reform Committee and is based on security evaluations defined in the Federal Information Security Management Act (FISMA) of 2002. The evaluations are compiled by the committee based on information provided by the inspector general from each agency.
Sixty percent of the CISOs surveyed by Telos said the Federal Report Card provided useful insight into their security preparedness. But they also questioned the real impact of the report card, noting that agency funding for IT security was not affected by bad grades.
"What is the purpose of evaluating and grading if there is no incentive for good performance and no repercussions for poor performance?" said Richard Tracy, the CSO at Telos.
In the survey, federal CISOs expressed concerns about several issues, including a lack of guidance about security requirements, system definitions and the evalution methods used by inspectors general to grade agencies, Tracy said.
"CISOs were not sure how to define the systems they were responsible for reporting on, and in some cases they were not exactly clear what the IG was looking for when the IG came in to do an audit," he said.
Meanwhile, the agencies that showed the most progress in this year's report were the Department of Transportation, which scored a D+ last year and got an A- this year; the Department of Justice, which had a failing grade last year and improved to a B-; and the Department of the Interior, which also failed last year but got a C+ in the latest report.
Even so, several large agencies received failing grades, including the Department of Homeland Security -- which scored an F for the second year running -- as well as the departments of Energy and Health and Human Services.
"The 2004 FISMA grades indicate that agencies have made significant improvements in certifying and accrediting systems, annual testing and security training, but significant challenges remain," Davis said. "Several agencies continue to receive failing grades, and that's unacceptable."
In response to the results and to some of the concerns expressed in the Telos CISO survey, Davis yesterday announced the creation of the CISO Exchange, a public-private initiative focused on giving federal CISOs more of a voice in upgrading federal cybersecurity. Co-chairing the CISO Exchange will be Davis and Vance Hitch, CIO for the Department of Justice .
"This CISO Exchange is designed to bring together federal CISOs and industry leaders to move our government to the top of the class in IT security" via a cross-pollination of ideas between the public and private sectors, Davis said.