Feds Fail Computer Security Test

The federal government has made progress in securing its computer systems
since last year, but it still only earned a D-plus from Congress for its
overall performance in 2004.

The Federal Computer Security Report, compiled by the House Government
Reform Committee and based on reports from each agency’s inspector general,
suggests the country’s bureaucracy may have a tough road ahead trying to
protect the nation’s important information technology.

“It is just not good enough,” Tom Davis, chairman of the committee, said at a news conference Wednesday. “We are much safer
across the board than we were two years ago, but we have a long way to go
with a lot of vulnerability.”

The grades are issued annually and are largely based on security
evaluations as defined in the Federal Information Security Management Act
(FISMA) of 2002. The report cites agencies with both exceptional and poor
performance records, as well as detail the remaining challenges the agencies face
under the FISMA.

The report shows that one-third of the 24 largest agencies received
failing grades, most notably the departments of Energy and Homeland
Security. The departments of Transportation and Justice made the most marked
improvement in securing their IT networks.

The Department of Transportation improved from a D-plus to an A-minus and
the Department of Justice (DoJ) was given a B-minus after receiving a failing grade in
2003. Another top performer was the Interior Department, which improved from
an F to C-plus this year.

Although each agency has different circumstances and obstacles to
overcome in securing their networks — Homeland Security encompasses dozens of
agencies and offices — Davis said pulling agencies up to code would remain
a priority.

“Several agencies continue to receive failing grades, and that’s
unacceptable,” Davis, a republic congressmen from Virginia, said. “We’re
also seeing some exceptional turnarounds.”

Davis did credit each department and its head for continued efforts in security and said the improvements,although small, showed staff members were not turning the reports into merely a “paperwork exercise.”

Davis said the lack of any kind of contingency plan for a complete system
failure and the minimal training provided for employees who work in security
remained the biggest concerns once again this year.

The Telos Corporation also presented its results of the first Federal
Computer Security Report Card Chief Information Security Officer (CISO)
Study.

The study of 32 CISOs offers perspectives on the effectiveness of the
report card system.

“The CIO Council is committed to closing the security gap in our federal
agencies,” said Vance Hitch, the DoJ’s CIO and chair of the
Cyber Security & Privacy Committee for the CIO Council.

News Around the Web