Feds bring home a D+

Federal Information Security Management Act 2004 Report to Congress

The federal government got a D-plus on its annual security report card from Rep. Tom Davis (R-Va.) this month, even after federal agencies spent $4.2 billion in fiscal 2004 on securing their information systems.

That represents about 7 percent of the value of the federal government’s $59 billion information technology portfolio, according to a new report on security compliance that Office of Management and Budget officials submitted to Congress.

For the first time, agency inspectors general rated agency chief information officers on the quality and quantity of completed certification and accreditation procedures, which are primary measures of agencies’ information security. Among the 24 largest federal agencies, the IGs rated seven, including the Homeland Security and Defense departments, as having poor security procedures.

Speaking at a news conference on the role of IGs under the Federal Information Security Management Act (FISMA) of 2002, Davis said IGs need to standardize their evaluation processes to guarantee that comparisons among agencies are fair.

IGs were the focus of other criticism. Melissa Wojciak, staff director for the House Government Reform Committee, which Davis leads, said the U.S. Agency for International Development received an A on its security report card, but the agency’s IG did not independently review the information that the CIO submitted. “If IGs aren’t doing that,” she said, “they’re ignoring a statutory mandate.”

Wojciak said committee members have sent letters to three agency IGs. “The IGs are as much a part of this process as the CIOs, and if they are not working cooperatively and independently verifying this information, we certainly want to know about it, and we want to ask why.”

Davis said the federal government’s D-plus is not good enough, while announcing that he has created a new forum for federal and private-sector chief information security officers. The educational forum, named CISO Exchange, will hold quarterly meetings for corporate and federal officers to meet and share ideas for improving information systems security practices, as required by FISMA.

Davis named Wojciak and Vance Hitch, the Justice Department’s CIO, as the group’s leaders. “FISMA is about good management practices, and the CISO Exchange will help promote that,” Wojciak said.

The forum will receive no government funding. Stephen O’Keeffe, president of O’Keeffe and Co., a federal IT public relations and events company, will serve as its executive director.

Davis said federal agencies showed progress last year in some areas of compliance with FISMA. But he said they must still make significant improvements.

Federal agencies came up short on providing specialized training for employees who have significant responsibility for government information and information systems, despite spending more than $55 million on security training last year.

The FISMA report to Congress showed significant differences in security training costs across the government. Transportation Department officials, for example, reported spending an average of $7.94 per employee for such training. By contrast, Department of Housing and Urban Development officials said they spent an average of $122.93 per employee. The governmentwide average was $13.33 per employee.

Noting that not all report card news was bad, Davis said DOT, which has 485 systems, got an A-minus after receiving a

D-plus last year. Dan Matthews, DOT’s CIO, said hiring Titan to standardize the department’s security certification and accreditation procedures made the difference.