RealTime IT News

Feds Again Flunk Network Security

For the fourth consecutive year, a large percentage of federal agencies flunked their annual network security review under the Federal Information Security Management Act (FISMA), including the Department of Homeland of Security (DHS) and the Department of Defense (DOD).

Out of 24 reporting agencies, 13 either scored an F or a D in the annual report card scores required under FISMA.

The DHS, which was formed in 2002 in the aftermath of the terrorist attacks on New York City and Washington, scored its third straight F while the DOD, after making D's in 2003 and 2004, fell back to F.

Overall, the government scored a D+ on network security.

"This year, the federal government as a whole hardly improved," Rep. Tom Davis (R-Va.), chairman of the House Government Reform Committee, said at a Thursday hearing.

"When it comes to federal IT policy and information security, it is still difficult to get people -- even members of Congress -- engaged."

Davis said that "some" agencies still view FISMA as a "paperwork exercise."

"These are short-sighted observations," he said. "As a result of the government's aggressive push to advance e-government, many government information systems hold personal information about citizens and employees, in addition to other types of data."

A new report issued Thursday by the government information and data analysis firm INPUT also underscored Davis' remarks.

"FISMA has become a largely paperwork drill among the departments and agencies, consuming an inordinate amount of resources for reporting progress while putting in place very little in the way of actual security improvements," Bruce Brody, the vice president for information security at INPUT, said in a statement.

Davis said he wanted agencies to actively protect their systems instead of "just reacting to the latest threat with patches and other responses."

The annual report cards indicate that the government made some improvements in developing configuration plans, employee security training and certifying and accrediting systems.

However, most agencies were found still lacking in implementing configuration, inconsistent incident reporting and annual testing of security controls.

"For many years, we have reported that poor information security is a widespread problem that has potentially devastating consequences," Gregory C. Wilshusen, director of Information Security Issues at the General Accountability Office, told Davis' committee.

Wilshusen added: "Nevertheless, progress was uneven [in 2005]. For example, the percentage of agency systems reviewed declined from 96 percent in 2004 to 84 percent in 2005, and the percentage of employees and contractors receiving security awareness training also declined, from 88 percent in 2004 to 81 percent in 2005."

In concluding his remarks on the annual report cards, Davis said: "If FISMA was the No Child Left Behind Act, a lot of critical agencies would be on the list of 'low performers.' None of would accept D+ grades on our children's report cards. We can't accept these either."