The U.S. government has received the not-so-stellar grade of “C-” in an annual report card on its IT security practices. The good news is that compared to earlier rankings mandated by the Federal Information Security Management Act, or FISMA, the government has improved its score.
The Department of Homeland Security, for instance, received a “D” for 2006, compared with an “F” in 2005. The Department of Energy pulled its grade up to a “C” from an “F.”
The agency that made the greatest progress was the Department of Justice, which received an “A-” for 2006, compared to a “D” in 2005.
Not all agencies improved. The Department of Commerce received an “F” for its security processes last year, compared with a “D+” in 2005. NASA, for its part, slid to “D-” in 2006, compared to “B-” in 2005.
Accountability and Oversight
Overall, the results are sobering, said Robert Siciliano, author of The SafetyMinute :01 and a consultant whose clients include British Petroleum, KPMG and GMAC.
Not surprisingly, the results have prompted a wave of criticism — from lack of accountability to lack of standards enforcement — as well as advice, such as investing in high-level automatic encryption technologies.
Siciliano, for his part, attributes the lax scores to a system that is lacking accountability, training and oversight.
Also, security responsibilities have not been part of the traditional mandate of IT staffers, he told the E-Commerce Times.
“Their job has been to ensure that systems are functioning properly,” Siciliano said, “so the relationship between security and IT has never been solidified. In the government, they have evolved into two different entities.”
It has only been in the last few years that there has been a serious drive to join the two.
Without penalties or incentives linked to FISMA compliance, agencies may not put it at the top of their IT priorities, Mark Zalubas, CTO of Merlin International Federal Research Consortium, a group of Information Assurance application providers, told the E-Commerce Times.
This is not necessarily a sign of incompetence or laziness. It could be that an agency has the resources either to patch a vulnerability in a system or to comply with an assessment by FISMA — but not to do both, he speculated. Obviously, it would choose to meet the immediate need.
Also, the fact that the grades are improving, for the most part, speaks volumes about the federal government’s efforts in this area, Zalubas added. “They are heading in the right direction.”
The feds are not immune to making the same mistakes that the private sector makes, Patrick McGregor, president and CEO of BitArmor Systems, told the E-Commerce Times. Recently — just to site one example — the Internal Revenue Service was rebuked for allowing its employees to carry home laptops containing taxpayer information.
For some reason, neither the private nor the public sector has been able to keep employees from loading sensitive data onto their laptops, he said. “It can be a difficult thing to control.”
For that reason, “the government needs to start encrypting data from the moment it is created to the moment it is destroyed,” McGregor advised.
The government needs to spend more on IT security, agreed James Butterworth, director of incident response at Guidance Software.
“I think the unifying theme that transcends both government and commercial sectors is that both are undermanned and underfunded in this respect, as well as being too busy with operational mandates,” he explained.
Automating compliance would go far to solve many of the security breaches that occur, commented Butterworth.
Based on security evaluations defined in the 2002 FISMA regulations, the House of Representatives’ Committee on Government Oversight and Reform issues the Federal Computer Security Report Card annually.
Many federal chief information security officers have mixed views about FISMA, Merlin International’s Zalubas pointed out, citing a survey his firm conducted among these executives about their agencies’ Federal Computer Security Report Card grades for 2007.
Among its findings: CIOs still struggle with language ambiguities related to the FISMA guidelines. Also, CIOs from large and small agencies hold divergent opinions on the value of the Report Card process.