Nuke agency shines bright in security

2003 Federal Computer Security Report Card

Managing an agency's information security is an ongoing struggle, and it is virtually impossible to reach a completely secure state. But two federal agencies have found a way to earn better grades: If you teach them, they will lock systems down.

The Transportation Department and the Nuclear Regulatory Commission took two of the biggest jumps to improve their grades on the annual Computer Security Report Card issued in December by Rep. Adam Putnam (R-Fla.), chairman of the House Government Reform Committee's Technology, Information Policy, Intergovernmental Relations and the Census Subcommittee.

The secret is simple: Teach everyone at the agency, from the board room to the computer room, the importance of security and practice the procedures to make it work.

NRC, in fact, received the only A with a score of 94.5 in 2003, which moved the agency up from a C on the 2002 report card.

DOT had nowhere to go but up and still has a long way to go. In 2002, DOT received one of 13 Fs when it scored a 28. But this year's grade improved to 69, which is a D-plus.

DOT's grade is still lagging, but Rebecca Leng, DOT's deputy assistant inspector general for information technology and computer security, said the department deserves kudos for the jump because "we made them work very hard."

Agency inspector generals serve an important role under the Federal Information Security Management Act of 2002 as independent reviewers. Security management improves considerably when the inspector general's office works closely with the chief information officer's staff to make improvements, Leng said.

"We have to make sure management understands that we still have a lot of unfinished business...to make sure that we don't slip on the security issue," she said.

NRC leaders also were critical in improving the agency's grade, according to CIO Ellis Merschoff.

"It's a pleasure to be a CIO at an agency that recognizes the importance of computer security and is willing to provide the support and funds to carry it out," he said.

But there were specific actions that also helped NRC. The agency instituted a four-level review structure for its systems and programs, said Charlotte Turner, acting senior information security officer. The checklist ensures that critical issues, including security concerns, are addressed and fulfilled four levels before gaining final approval.

The review structure starts with a branch manager-level focus group, moves up to a division director-level council, then to an office director-level senior advisory council and finally to the executive director-level committee.

An important goal is to drum accountability into the business staff that has direct responsibility for overseeing systems, said Louis Numkin, one of the agency's three full-time security officers.

"The owner actually runs the ship; we're there to guide them," he said.

NRC has instituted a security training and awareness program that other agencies are copying, including the U.S. Mint and the Centers for Medicare and Medicaid Services.

The program focuses on the CyberTyger character created eight years ago, which appears on everything from calendars to first-aid items distributed at NRC. The character symbolizes information security. Numkin said NRC conducts regular events to make sure that everyone working at the agency, not just the IT staff, understands the importance of security.

Both organizations use a standardized certification and accreditation process, said Lisa Schlosser, DOT's associate CIO for IT program management.

"Instead of trying to piecemeal [certification and accreditation], we brought it to the departmental level with a department-level team," she said. "One team, one methodology, standardized templates."