Government gets 'D' on security

2003 security report card

Federal agencies are still far behind where they need to be on information security, scoring a governmentwide grade of D for 2003 based on grades released today by Rep. Adam Putnam (R-Fla.).

But there are potential sources for improvement over the next year with some encouragement from Congress.

Putnam's score card follows three years of grading performed by former Rep. Stephen Horn (R-Calif.) and the staff of his subcommittee of the House Government Reform Committee. For the first time, the grades are based on the same criteria as the year before by using the self-assessments each agency submits to the Office of Management and Budget under the Federal Information Security Management Act (FISMA). Congress and agencies can track improvement or new weaknesses, said Putnam, chairman of the House Government Reform Committee's Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census.

Some agencies showed significant improvement, including the National Science Foundation, which moved to an A-minus from a D-minus, and the Labor Department, which went to a B from a C-plus. But 14 agencies received a grade below C-minus and eight failed. In three departments the inspector general did not submit a corresponding assessment, as required by law as an independent comparison.

One of the failing agencies was the Homeland Security Department. The failure is understandable because the organization is still coming together, Putnam said. "We expect significant improvement from [DHS] next year," he said. "They should be the leaders."

OMB's report on agency assessments is due March 1. The subcommittee will hold a hearing at that point to, among other things, examine differences between the OMB evaluation and the grades. The two viewpoints differed greatly in the past, and it will be important to explain discrepancies, Putnam said.

Over the coming months, the subcommittee will meet with chief information officers from every agency to get detailed remediation plans. The goal is to provide oversight and get failing agencies to learn from those that scored well or made significant improvements, Putnam said.

The biggest area of concern is that only five of the 24 agencies reviewed have completed inventories of critical information technology assets, a listing required for the last four years by FISMA and its predecessor, the Government Information Security Reform Act of 2000.

"That is a clear part of the law, and it is disturbing that 19 of the agencies are still out of line," Putnam said. "I don't underestimate the challenge, but the fact of the matter is they need to do it....Some folks have proved it can be done, and not just small agencies."

Rep. Tom Davis (R-Va.), chairman of the House Government Reform Committee, and Sen. Susan Collins (R-Maine), chairwoman of the Senate Governmental Affairs Committee, expressed their concerns. Collins said the low grades were unacceptable for agencies that oversee many portions of the nation's critical infrastructure.

"While we're making progress, it's important to note that we're still not at a point where information security is being taken seriously by every agency and department," said Davis, coauthor of FISMA. "Clearly, our goal of making computer security a constant management focus has not been met."

The subcommittee staff will work with both committees to approach the appropriations committees and make sure that security is taken into consideration and agencies receive the support they need, officials said. Although there is no evidence to show that money is a problem, what appropriators emphasize can affect an agency management's choices, said Bob Dix, Putnam's chief of staff.