RealTime IT News

Feds Fail Computer Security Test

The federal government has made progress in securing its computer systems since last year, but it still only earned a D-plus from Congress for its overall performance in 2004.

The Federal Computer Security Report, compiled by the House Government Reform Committee and based on reports from each agency's inspector general, suggests the country's bureaucracy may have a tough road ahead trying to protect the nation's important information technology.

"It is just not good enough," Tom Davis, chairman of the committee, said at a news conference Wednesday. "We are much safer across the board than we were two years ago, but we have a long way to go with a lot of vulnerability."

The grades are issued annually and are largely based on security evaluations as defined in the Federal Information Security Management Act (FISMA) of 2002. The report cites agencies with both exceptional and poor performance records, as well as detail the remaining challenges the agencies face under the FISMA.

The report shows that one-third of the 24 largest agencies received failing grades, most notably the departments of Energy and Homeland Security. The departments of Transportation and Justice made the most marked improvement in securing their IT networks.

The Department of Transportation improved from a D-plus to an A-minus and the Department of Justice (DoJ) was given a B-minus after receiving a failing grade in 2003. Another top performer was the Interior Department, which improved from an F to C-plus this year.

Although each agency has different circumstances and obstacles to overcome in securing their networks -- Homeland Security encompasses dozens of agencies and offices -- Davis said pulling agencies up to code would remain a priority.

"Several agencies continue to receive failing grades, and that's unacceptable," Davis, a republic congressmen from Virginia, said. "We're also seeing some exceptional turnarounds."

Davis did credit each department and its head for continued efforts in security and said the improvements,although small, showed staff members were not turning the reports into merely a "paperwork exercise."

Davis said the lack of any kind of contingency plan for a complete system failure and the minimal training provided for employees who work in security remained the biggest concerns once again this year.

The Telos Corporation also presented its results of the first Federal Computer Security Report Card Chief Information Security Officer (CISO) Study.

The study of 32 CISOs offers perspectives on the effectiveness of the report card system.

"The CIO Council is committed to closing the security gap in our federal agencies," said Vance Hitch, the DoJ's CIO and chair of the Cyber Security & Privacy Committee for the CIO Council.