D+ for fed security -- again

Federal agencies once again received a D+ overall on their 2005 computer security report cards from the House Government Reform Committee based on reports required by the Federal Information Security Management Act. Agencies on the frontline of the war on terror received failing grades.

The overall grade for the 2004 federal security report card was also a D+.

“If FISMA was the No Child Left Behind Act, a lot of critical agencies would be on the list of ‘low performers,’” Rep. Tom Davis (R-Va.), the chairman of the committee, said today at a hearing on computer security. “The scores for the departments of Defense, Homeland Security, Justice, State — the agencies on the frontline in the war on terror — remained unacceptably low or dropped precipitously.”

Of those four departments, DHS remained level with its 2004 grade of an F, according to the committee’s rating. The other departments fell in grades. Defense went from a D to an F, Justice dropped from a B- to a D and State fell from a D+ to an F.

Five agencies – the U.S. Agency for International Development, the Environmental Protection Agency, the Labor Department, the Office of Personnel Management and the Social Security Administration -- received an A+ from the committee.

The committee tallied the department’s scores on the basis of its analysis of responses from agencies and inspectors general to the annual IT security reviews of their systems and programs. The weighted scores are based on the Office of Management and Budget’s performance metrics, with a perfect score totaling 100 points.

At the hearing, questions focused on DOD and DHS. Rep. Diane Watson (D.-Calif.) asked if the problem was agencies’ inability to close security gaps.

Gregory Wilshusen, director of information security issues at the Government Accountability Office, said securing large, diverse departments is tough, especially when merging numerous agencies that each have different procedures and cultures.

After the hearing, Scott Charbo, DHS’ chief information officer, said the department’s certified systems were at 26 percent five months ago and are now at 62 percent. “Take a look at where we’re moving our systems right now,” he said.

“DHS is a challenging environment,” said Karen Evans, administrator of e-government and information technology at OMB. “It does take some time to really demonstrate that progress.”

Rep. William “Lacy” Clay (D-Mo.) disagreed. “It sounds to me like you are defending the incompetency of DHS.”

However, all was not bad. Davis noted that the 2005 FISMA grades indicate that agencies made improvements in developing configuration management plans, employee security training, developing and maintaining an inventory, certifying and accrediting systems, and annual testing.

However, the committee still has some areas of concern, including implementation of configuration management policies, specialized security training for employees with significant security responsibilities, inconsistent incident reporting, inconsistencies in contingency plan testing, annual testing of security controls, and agency responsibility for contractor systems, Davis said.

CIOs at two agencies that demonstrated consistent improvements in their information security – SSA and Labor – also appeared before the committee to describe best practices and lessons learned.

SSA has always put a strong emphasis on security and much of its success is due to strong backing for FISMA from senior managers, said Thomas Hughes, SSA's CIO. The agency received an A+ for 2005, up from a B last year.

Thomas Wiesner, deputy CIO at Labor, said that strong support from all levels of management helps the agency strengthen security. But "security is integrated into every IT projects," he added.

Rutrell Yasin contributed to this story.