, SecurityFocus 2007-04-13
The majority of twenty-four U.S. government agencies continued to score sub-par grades in computer security for 2006, according to an annual report card required by federal legislation.
While the overall grade of the agencies averaged to a 'C-' a slight improvement over the 'D+' received in 2005 the individual grades ranged across the spectrum. Some of the U.S. government's largest agencies including the Departments of Commerce, Defense, Education, State, and Treasury scored failing grades.
Other agencies dramatically improved their grades from last year. The Department of Health and Human Services improved last year's 'F' to a 'B' in 2006, while the Department of Housing and Urban Development jumped from a 'D+' to an 'A+', according to the score card (PDF).
The results of the report card this year show that federal agencies are beginning to take seriously their responsibilities to safeguard sensitive information, Rep. Mike Turner, R-Ohio, ranking member of the Information Policy, Census and National Archives Subcommittee, said in a statement. Its disturbing that some of the agencies with the most sensitive information continue to score poorly on this."
The grades are based on numerical scores ranking the agencies' compliance with the Federal Information Security Management Act (FISMA) of 2002, which requires that the agencies secure their information systems according to guidelines developed by the National Institute of Standards and Technology and file annual reports about their compliance.
A number of security incidents impacted federal agencies in 2006. In October, the U.S. Department of Commerce shut down access to hundreds of computers after discovering that compromised users accounts had allowed online attackers to infiltrate the network. In May, the Department of Veterans Affairs revealed that a laptop and hard drive stolen from the residence of a federal employee contained sensitive records on more than 26 million military personnel. The FBI later recovered the laptop.
The Department of Commerce received an 'F' in the latest FISMA report card, while the Department of Veterans Affairs essentially got an incomplete for not turning in its report.
The Department of Homeland Security, the agency responsible for securing the nation's critical infrastructure received a 'D' this year, the first time since 2003 that the agency did not receive an 'F'. Rep. Davis attributed the modest increase to DHS's completing an inventory of its critical assets.
"You can't protect what you don't know you have," he said.
However, security companies have pointed out that compliance is not the same thing as security.
"FISMA is to some extent a paper exercise," said Jeremy Nazarian, vice president of marketing at network security firm Lumeta. "And, although it's not a complete representation of how an agency is doing, the score is ultimately a decent measure of how well aligned an organization is with security policies as defined by NIST."
The FISMA grades are based on the security reviews performed by the agencies, including progress in correcting previously identified weaknesses and the results of system hardening. Each agency is required to submit a report on their findings by October to the Office of Management and Budget.