, SecurityFocus 2004-10-22
October 6th marked the deadline for government agencies to turn in their cyber security homework-- specifically, the independent audits that form the basis of Congress' much-cited annual federal computer security report card. Though final grades won't be issued until later in the year, some agencies have put their audit reports on the Web, allowing for a bit of a preview.The
The Nuclear Regulatory Commission -- last year's only A -- is poised for another gold star, with auditors reporting the NRC completed most of the corrective actions identified in last year's review. The only sticking points: some documents and one risk assessment needed updating, and a "sensitive" manual on the agency's information security program had improperly been made public on the NRC website. Some raw numbers: NRC's e-mail gateway software blocked 33,449 virus-laden messages in '04, and the agency suffered 93 incidents of malicious code penetrating workstations. No intruders were spotted.
Nearer the back of the class, the
Energy counted 199 successful intrusions, including a recent case "where an external party gained broad access to multiple systems on several occasions," reads the audit report. On the plus side, auditors identified fewer cyber security weaknesses than in years past: a total of 32 in 2004, from a high of 69 in 2003. The DOE got a failing grade from Congress in 2003 and 2002.
Auditors examining cyber security at the
The reports were prepared under the 2002 Federal Information Security Management Act (FISMA), which requires agencies to have their cyber security independently evaluated each year, and the results sent to the White House's Office of Management and Budget.
Dozens of agencies haven't publicly released their FISMA report, including often-hacked targets like the Defense Department and NASA -- D and D- last year, respectively -- and the new Department of Homeland Security, which flunked its debut on the 2003 report card.
The House Committee on Government Reform began using the FISMA audits as the basis of its federal computersecurity report card last year, and