The government’s annual agency information security reports cards are out, and Uncle Sam is still struggling to protect sensitive data. While the cumulative score of 72.9 represents the government’s first overall passing grade, many agencies still made D’s and F’s.
The Department of Justice (DoJ) and the Department of Housing and Urban Development (HUD) showed the most improvement from 2005 to 2006. The DoJ climbed from a D in 2005 to an A- in 2006. HUD jumped to an A+ after a D- in 2005.
NASA, which fell from a B- to D-, and the Department of Education, which fell from C- to an F, showed the biggest decline. The Department of Homeland Security (DHS), along with the Department of Defense (DOD) and five other agencies, all failed for the fourth consecutive year.
“While there are some excellent signs of progress in this year’s report, and that’s encouraging, I remain concerned that large agencies like DOD and DHS are still lagging in their compliance,” U.S. Rep. Tom Davis (R-VA) said in a statement.
The grades come from annual agency information security reports mandated by the Federal Information Security Management Act (FISMA), which Davis sponsored and took to passage in 2002. Agencies are rated on how well they detect and react to security breaches, training, network security configurations and whether they certify and accredit their systems as secure.
“We are somewhat encouraged by the slight improvement over last year’s grades. However, there is still a lot of work to be done,” Liz Gasster, acting executive director of the Cyber Security Industry Alliance (CSIA), said in a statement.
Gasster added that FISMA tests are an “important first step,” but “there are not nearly enough consequences for those agencies who fail to comply.”
Earlier this year, the CSIA issued its own evaluation of federal agencies, giving the government an overall D in information security and assurance. “CIOs and [chief information security officers] must be given more authority to take action to enforce and implement [FISMA], or security will continue to suffer.”
The CSIA is seeking data-security legislation applying equally to all government and private-sector entities that collect, maintain or sell significant numbers of records containing sensitive personal information. The group wants lawmakers to establish “reasonable security measures” in order to minimize the likelihood of a breach.
“The results of the report card this year show that federal agencies are beginning to take seriously their responsibilities to safeguard sensitive information,” Rep. Mike Turner (R-Ohio) said in an statement. Nevertheless, Turner, the ranking member of the Information Policy, Census and National Archives subcommittee, said, “It’s troubling that some agencies with the most sensitive information continue to score poorly on this.”
While the DHS, one of the low-performing agencies targeted by Davis and Turner, again failed the test, it did dramatically bring its grade up from a 33.5 in 2005 to a 66 last year. Davis attributed the improvement to DHS finally establishing an inventory of its secure computer systems.
“You can’t protect what you don’t know you have,” he said.
Davis found encouragement in that agency reporting of breaches or other security incidents have increased, along with annual testing of security controls. Slightly more systems were certified and accredited as secure in 2006.