Communications Litigation Today was a service of Warren Communications News.

Govt. Bombs in Computer Security, Again

February 17, 2005 by Randy Barrett|Miscellaneous

Federal agencies still are poor at computer security, according to the 5th annual report card released Wed. by House Committee on Govt. Reform. The govt. received a D+ for its overall performance in securing public networks and computers in 2004. The grades are based on agency reporting required by the Federal Information Security Management Act (FISMA).

The low grade is a 2.5-point improvement over 2003, said Rep. Davis (R-Va.). “The FISMA grades indicate that agencies have made significant improvements in certifying and accrediting systems, annual testing, and security training,” said Davis, who said key areas still need attention. Areas for improvement include annual reviews of contractor systems, contingency testing, configuration management and incident reporting.

The weakest agencies include the Dept. of Homeland Security (F), the Dept. of Energy (F), the Dept. of Commerce (F) and the Small Business Administration (D-). The Dept. of Defense received a D. Top scorers are The Agency for International Development (A+), the Dept. of Transportation (A-), the Nuclear Regulatory Commission (B+) and the Social Security Administration (B). The biggest turnaround occurred at the DoT, which received a D+ in 2003. The Dept. of Justice jumped from an F in 2003 to B- in the latest grading.

The report card doesn’t affect annual IT security funding, according to data gathered by Telos Corp., which interviewed about 1/4 of the govt.’s chief information security officers (CISOs). “If there are no incentives for agencies to continue to comply with FISMA requirements, what is the point?” asked Telos Chief Security Officer Richard Tracy in a statement. The company gave the overall grading process a C and said respondents of the study would like clearer guidance on how to follow FISMA guidelines better.

Also announced Wed. was a new Chief Information Security Officer Exchange program. The public-private initiative seeks to improve federal cyber security sharing best practices from industry. “The federal government’s D+ grade on computer security is just not good enough,” said Davis. “The CISO Exchange is designed to bring together federal CISOs and industry leaders to move our govt. to the top of the class in IT security.”