Agencies to get security scores

Agencies will soon receive grades for their progress in information security.

Congressional representatives plan to release a report card next week, grading agencies on their work under the Federal Information Security Management Act (FISMA) of 2002, which strengthened congressional oversight of security matters.

The report card is intended to raise the visibility of the need for strong information security, said FISMA's author, Rep. Tom Davis (R-Va.).

"Many times in government do we come out with another mandate and no funding to do it? How do you prioritize?" said Davis, chairman of the House Government Reform Committee, speaking at an event sponsored by the Potomac Forum Ltd. and ICG Government. "This has not risen to the level of attention that's needed from senior management."

Rep. Adam Putnam (R-Fla.), chairman of the House Government Reform Committee's Technology, Information Policy, Intergovernmental Relations and the Census Subcommittee, has been spearheading this effort and will release the report card, Davis said. Typical weaknesses include a lack of risk assessments, contingency plans, and complete certification and accreditation, as well as a failure to fix shortfalls found under FISMA's predecessor, the Government Information Security Reform Act of 2000, he said.

"I think there's going to be some surprises in it," Davis said of the report card. "Some agencies you'd expect to be out on top of this thing haven't met it."

Information security will garner attention if there is a massive cyberattack that could compromise the economy or homeland security, he said. The idea behind FISMA and the report card is to be proactive in security management.

"If we continue the way we're going, sooner or later we're going to have a major incident," he said. "We're trying to stay ahead of the curve."