A U.S. House of Representatives subcommittee confirmed this week the concerns of security experts and Washington insiders by grading most federal agencies with a D or F in terms of IT security.
There was improvement from last year’s federal computer-security progress report as the Nuclear Regulatory Commission and National Science Foundation each earned an A and the overall grade was boosted from an F to a D. However, 14 of 24 agencies got Fs or Ds, and lawmakers recognized the bad grades could signify danger.
“The federal government should be the standard bearer when it comes to information security,” said Government Reform Subcommittee Chairman Adam Putnam (R-Florida). “Unfortunately, today’s report card indicates anything but that.”
This year’s report card, which includes new reporting requirements under the Federal Information Security Management Act (FISMA), marks the fourth consecutive year of the grading. The process repeatedly has found serious security holes and lapses in the computer systems administered and used by federal government agencies.
Many of the agencies, such as the Social Security Administration and departments of Labor and Education, improved their grades from last year. However, other key departments — State, Interior, Justice, Energy, Health and Human Services and NASA — failed to improve or, in some cases, slipped from a D to an F.
“The overarching goal of FISMA was to force the federal government to put its house in order and become a reliable partner in the protection of our information highways,” said Rep. Tom Davis (R-Virginia), FISMA author and Chairman of the Government Reform Committee. “The grades we released today indicate that while some rooms in that house are tidier, too many others are not.”
Among the federal agencies that brought home failing grades was the Department of Homeland Security. The agency was not graded last year, but it has been the focus of criticism since national cyber security efforts were folded into it over the past two years.
Ronn Bailey — founder and chief executive of Vanguard Integrity Professionals, an industry group intended to counter lagging government efforts on cyber security — told TechNewsWorld that the Department of Homeland Security killed the previous security momentum.
“When they got rolled up inside the Department of Homeland Security, people were now reporting four or five levels down,” Bailey said. “Virtually all the people involved were no longer there.”
Referring to the report card, Bailey likened the government’s performance on IT security to “playing hooky.”
“There is no grade to be made,” he said.
Unable To Audit
On top of the disappointing — but not unexpected — government-wide grade of D, U.S. officials expressed concern that several of the agencies required to report to the subcommittee failed to audit their systems successfully.
“One of the most disturbing findings is that 19 of the 24 agencies reviewed had not completed an inventory of their mission-critical systems,” Putnam said. “Obviously, an agency can’t ensure its systems are secure if it can’t account for all of its mission-critical systems.”
Davis added that 79 percent of the agencies don’t have accurate system inventories, which “casts doubt over the entire reporting process.”
Culture and Capitalism
Putnam, who blamed the private sector and unsecure software as well as government foot-dragging for the security dilemma, said the corporate culture of top CEOs and government executives must change.
“While some burden is on the shoulders of the user, I feel strongly that a significant burden falls on the shoulders of the hardware, software, operating system manufacturers and ISPs,” Putnam said. “These entities, until recently, have paid insufficient attention to educating consumers as to the importance of security.”
While he agreed about the need to change thinking among company managers, CyberGuard federal division vice president Matt Mosher told TechNewsWorld that until consumers demand a more secure cyber infrastructure, businesses will neglect it.
“I think [companies] are all talking about security, but at the end of the day these are public companies that are motivated by money,” he said.