Agencies flunk security review

A House panel last week gave two-thirds of all federal agencies a failing grade for efforts to secure information systems — a worse showing than last year attributed to greater awareness of security vulnerabilities.

Rep. Stephen Horn (R-Calif.), who has graded agencies on several information technology management topics over the years, gave the government an overall grade of F for its effort to secure IT systems, with 16 of 24 agencies surveyed receiving the failing grade. Only one agency received a grade higher than a C-plus.

"It is a disappointing feeling to announce that the executive branch of the federal government has received a failing grade for its computer security efforts," said Horn, chairman of the House Government Reform Committee's Government Efficiency, Financial Management and Intergovernmental Relations Subcommittee, at the Nov. 9 hearing during which he released the grades.

The grades are disappointing, even if they help wake up agency managers to the fact that there's a lot of work to be done to secure the systems, said Sallie McDonald, assistant commissioner for information assurance and critical infrastructure protection at the General Services Administration.

Last year, Horn gave the government an overall grade of D-minus, with seven agencies getting F grades. Horn and other officials attributed the worsening grades to a more thorough investigation into IT security. Last year, Horn collected information using a questionnaire developed by his staff. This year, however, he based his grades on the first comprehensive evaluations of agencies' security programs mandated under the Government Information Security Reform Act (GISRA). Agency chief information officers and inspectors general submitted those reports Sept. 10 to the Office of Management and Budget.

After realizing that assessing their systems was becoming increasingly important, agencies conducted other security reviews, resulting in a greater awareness of security vulnerabilities, said Robert Dacey, director of information security issues at the General Accounting Office.

"Not surprisingly, this has led to the identification of additional areas of weakness at some agencies," he said.

With creation of the Office of Homeland Security and a cyberspace security adviser, "it is important that federal information security be guided by a comprehensive strategy for improvement" with detailed plans and the resources to back them up, Dacey said.

The Information Technology Association of America, which labeled the security grades "unacceptable," also called for more funding. "It's important to recognize this challenge, but it is also equally important to put in place the investment to address it," said Shannon Kellogg, ITAA's vice president of information security programs. "The reality is that the CIOs in all these agencies are expected to take money for security out of hide."

The administration, however, is not inclined to request more spending on security because an OMB analysis shows no significant relationship between the percentage of IT spending on security and the soundness of the security at an agency, said Mark Forman, OMB associate director for information technology and e-government.

OMB estimates that agencies will spend at least $2.7 billion on security in fiscal 2002 — and they must learn to spend it more wisely, Forman said. "We don't believe that simply adding more money will solve the problem," he said.

The administration, dissatisfied with the security data agencies supplied in the GISRA reports, has asked agencies to provide more details on specific agency programs to better understand the extent of the security problems.

"This is the best set of information we've gotten so far, [but] we want more," Forman said. "When we get into the details, I think we're going to find a mixed bag, and that's where we need to go in the next year."

OMB has asked agencies to reallocate money to conduct more in-depth assessments, especially for a program called Project Matrix. The Critical Infrastructure Assurance Office developed the Matrix program to identify agencies' critical assets, prioritize them from the most to the least critical and determine how co-dependent they are on one another. Several agencies have completed the assessment. OMB has directed the other agencies to reallocate fiscal 2002 funds for Matrix reviews.

Once the reviews are completed, OMB will identify several government.wide activities and lines of business for additional Matrix reviews to create a horizontal view of the government's vulnerabilities, Forman said.

For fiscal 2003, OMB will continue to follow the policy set by the Clinton administration that any funding request for an information system with inadequate security will not be included in the president's budget submission, Forman said.

OMB will also use the GISRA reports and budget meetings with agencies "to determine whether OMB must take steps to assist agencies in quickly correcting their most serious weaknesses," he said.

OMB Director Mitchell Daniels Jr. plans to meet with agency heads "to impress upon them that true improvements in security performance come not from external oversight but from within," Forman said.

Daniels' meetings are a good sign, McDonald said. During the rush to fix the Year 2000 problem, agency heads did not pay attention to the issue until John Koskinen, President Clinton's Year 2000 czar, met with them in person, she said.

OMB also must involve the President's Management Council in the effort so that department secretaries and deputy secretaries understand their roles in security, experts say.

"If you make it difficult for secretaries to ignore [security], then the problem will get fixed much more quickly," said Alan Paller, director of research for the SANS Institute, a security education and consulting organization.

New set of security grades from Horn

(Last year's scores in parentheses)

Agriculture (F) F

USAID (C-) F

Commerce (C-) F

Defense (D+) F

Education (C) F

Energy (Inc) F

HHS (F) F

Interior (F) F

Justice (F) F

Labor (F) F

Nuclear Regulatory Commission (Inc) F

OPM (F) F

SBA (F) F

Transportation (Inc) F

Treasury (D) F

VA (D) F

NSF (B-) B+

Social Security (B) C+

NASA (D-) C-

EPA (D-) D+

State (C) D+

FEMA (Inc) D

GSA (D-) D

HUD (C-) D

Governmentwide grade (D-) F