Federal agencies as a whole scored higher in their compliance with information-security rules in 2007 compared to the previous year, but nine of twenty-four agencies continue to post a failing grade, according to an annual report card published on Tuesday.
The report card (pdf), which gives a numerical grade to each government agency for its compliance with the Federal Information Security Management Act (FISMA) of 2002, gave a grade of 'C' to the combined government effort. As previously reported by SecurityFocus, the two-dozen agencies that are included in the report card did slightly better in complying with FISMA rules than in 2006, in which they scored a 'C-'. However, nine of the agencies -- including the Departments of Commerce, Defense and Treasury -- score failing grades on the latest report card.
"We need to do more to bring consistency to the IG community regarding standards and review," Rep. Tom Davis, R-Virg., said in a statement announcing the release of the latest report card. "We need to seriously consider incentives for agency success and funding penalties and personnel reforms for agencies that dont measure up."
A recent report released by the U.S. Office of Management and Budget (OMB) stated that the government generally did better in fiscal 2007 with certifying systems and testing security controls and contingency plans than the previous year. Twenty-two agencies inventoried at least 80 percent of their systems in 2007, compared with 20 agencies that had reached that milestone in 2006. The increased monitoring of their systems resulted in more attacks being reported, with nearly a third of the reported incidents resulting from alarms created by the US-CERT's EINSTEIN network monitoring system, a component of the Comprehensive National Cybersecurity Initiative (CNCI).
In 2006, most of the U.S. government agencies required to file compliance reports by FISMA scored sub-par grades in computer security. The Federal Information Security Management Act of 2002 requires that the agencies secure their information systems according to guidelines developed by the National Institute of Standards and Technology and file annual reports about their compliance.
Members of Congress have questioned the Bush Administration officials over the lack of information available regarding its cybersecurity plan. Congressional committee members and security experts are drafting a report to advise the next president on ways of improving cyber security.
The Department of Justice, Agency for International Development, Environmental Protection Agency, and National Science Foundation all received a grade of 'A+' on their latest report card.
If you have tips or insights on this topic, please contact SecurityFocus.
Posted by: Robert Lemos