For the fourth consecutive year, a large percentage of federal agencies
flunked their annual network security review under the Federal Information
Security Management Act (FISMA), including the Department of Homeland of
Security (DHS) and the Department of Defense (DOD).
Out of 24 reporting agencies, 13 either scored an F or a D in the annual
report card scores required under FISMA.
The DHS, which was formed in 2002 in the aftermath of the terrorist attacks
on New York City and Washington, scored its third straight F while the DOD,
after making D’s in 2003 and 2004, fell back to F.
Overall, the government scored a D+ on network security.
“This year, the federal government as a whole hardly improved,” Rep. Tom
Davis (R-Va.), chairman of the House Government Reform Committee, said at a
“When it comes to federal IT policy and information
security, it is still difficult to get people — even members of Congress —
Davis said that “some” agencies still view FISMA as a “paperwork exercise.”
“These are short-sighted observations,” he said. “As a result of the
government’s aggressive push to advance e-government, many government
information systems hold personal information about citizens and employees,
in addition to other types of data.”
A new report issued Thursday by the government information and data analysis
firm INPUT also underscored Davis’ remarks.
“FISMA has become a largely paperwork drill among the departments and
agencies, consuming an inordinate amount of resources for reporting progress
while putting in place very little in the way of actual security
improvements,” Bruce Brody, the vice president for information security at
INPUT, said in a statement.
Davis said he wanted agencies to actively protect their systems instead of
“just reacting to the latest threat with patches and other responses.”
The annual report cards indicate that the government made some improvements
in developing configuration plans, employee security training and certifying
and accrediting systems.
However, most agencies were found still lacking in implementing
configuration, inconsistent incident reporting and annual testing of
“For many years, we have reported that poor information security is a
widespread problem that has potentially devastating consequences,” Gregory
C. Wilshusen, director of Information Security Issues at the General
Accountability Office, told Davis’ committee.
Wilshusen added: “Nevertheless, progress was uneven [in 2005]. For example,
the percentage of agency systems reviewed declined from 96 percent in 2004
to 84 percent in 2005, and the percentage of employees and contractors
receiving security awareness training also declined, from 88 percent in 2004
to 81 percent in 2005.”
In concluding his remarks on the annual report cards, Davis said: “If FISMA
was the No Child Left Behind Act, a lot of critical agencies would be on the
list of ‘low performers.’ None of would accept D+ grades on our children’s
report cards. We can’t accept these either.”