Report card day looms for federal agencies
Kevin Poulsen, SecurityFocus 2004-10-22

October 6th marked the deadline for government agencies to turn in their cyber security homework-- specifically, the independent audits that form the basis of Congress' much-cited annual federal computer security report card. Though final grades won't be issued until later in the year, some agencies have put their audit reports on the Web, allowing for a bit of a preview.

The Social Security Administration, which brought home a B+ in 2003, is favored for teacher's pet this time around. It suffered no security incidents at all in the 2004 fiscal year, it says: no root or user compromises, no defacements, no viruses and no DDoS attacks. Among other achievements, the agency completed a total accounting of its systems, and performed vulnerability scans and penetration tests of all of them, according to the audit.

The Nuclear Regulatory Commission -- last year's only A -- is poised for another gold star, with auditors reporting the NRC completed most of the corrective actions identified in last year's review. The only sticking points: some documents and one risk assessment needed updating, and a "sensitive" manual on the agency's information security program had improperly been made public on the NRC website. Some raw numbers: NRC's e-mail gateway software blocked 33,449 virus-laden messages in '04, and the agency suffered 93 incidents of malicious code penetrating workstations. No intruders were spotted.

Nearer the back of the class, the Department of Energy struggled with the basics. Though the department launched a campaign in 2004 to certify its systems and improved its incident reporting process, "problems continue to exist in the Department's unclassified cyber security program that, if uncorrected, could expose critical systems to compromise," auditors found. The DOE had trouble ensuring that only authorized personnel could access particular systems, and that known vulnerabilities were closed.

Energy counted 199 successful intrusions, including a recent case "where an external party gained broad access to multiple systems on several occasions," reads the audit report. On the plus side, auditors identified fewer cyber security weaknesses than in years past: a total of 32 in 2004, from a high of 69 in 2003. The DOE got a failing grade from Congress in 2003 and 2002.

Auditors examining cyber security at the Department of Transportation found problems at its largest component, the Federal Aviation Administration, where air traffic control systems were insufficiently secured against cyber attacks. Elsewhere, improvements were noted at the Environmental Protection Agency, where officials "have taken positive actions" to protect their IT environment, though some 224 virus incidents managed to pollute 63 EPA systems during the year. The EPA went from a D- to a C in 2003; the DOT from an F to a D+.

The reports were prepared under the 2002 Federal Information Security Management Act (FISMA), which requires agencies to have their cyber security independently evaluated each year, and the results sent to the White House's Office of Management and Budget.

Dozens of agencies haven't publicly released their FISMA report, including often-hacked targets like the Defense Department and NASA -- D and D- last year, respectively -- and the new Department of Homeland Security, which flunked its debut on the 2003 report card.

The House Committee on Government Reform began using the FISMA audits as the basis of its federal computersecurity report card last year, and gave the federal government a D overall. This year's grades are expected out in December.