Evans on security: At least it's improving

2003 security report card

Government officials and security experts see the improvement in the cybersecurity grades awarded by Congress this week as a positive sign, even if that improvement was minimal.

The governmentwide grade of D, given by Rep. Adam Putnam (R-Fla.), chairman of the House Government Reform Committee's Technology, Information Policy, Intergovernmental Relations and the Census Subcommittee, is still not good. But Karen Evans, the Office of Management and Budget's administrator for e-government and information technology, is optimistic. "I am a positive person," Evans said. "I was excited we moved to a D because we had been an F overall for three years. Any movement forward is a good thing."

In one way, it was good to see that the grade didn't jump too much, observers said. That diminished any possibility for speculation that the grades were fixed or that agency officials were padding their reports, said Alan Paller, director of research at the SANS Institute, a security education and research organization.

At the same time, "it allowed the organizations to show some progress, and that's so important," Paller said. "At some point, if you want to make change, you need to use positive reinforcement."

The agencies that showed the most improvement also showed that officials can learn from one another, he said. For example, the Nuclear Regulatory Commission jumped 20 points from a C to an A. The Transportation Department only raised its grade from an F to a D+, but it jumped more than 40 points at least in part because officials implemented an idea from the commission, Paller said.

At the release of the grades Dec. 9, Putnam said that during the next year, he would emphasize spreading tactics and processes from high-performing agencies to those at the bottom of the spectrum. Evans said she was pleased Putnam used the same scoring methods as before, thus allowing for a fair comparison. The grading effort also seemed to be a collaborative effort among Congress, OMB and the agencies. However, there is a lot of work to be done, she said. "Cybersecurity is a challenge, and a lot of it is that [agency officials] are really thinking about their overall cybersecurity IT strategy," Evans said. "As they are defining what systems were and moving more toward portfolio management, there are issues associated with that." OMB officials are helping agencies move forward through the quarterly assessments in the President's Management Agenda. That score card also evaluates security and helps agencies stay focused on continued improvement, which is exactly what Evans said she expects to see. "We would like to see higher grades, but it does show a momentum moving forward," she said. "It does show the [inspectors general] have recognition that the agencies that have put a lot of effort in are moving forward."