The US government got an overall grade of C-minus in a computer security report card that evaluates the performance of 24 individual agencies covered by the Federal Information Security Management Act (FISMA).
Eight agencies -- including the departments of Defense, Interior and State as well as the Nuclear Regulatory Commission -- received failing grades. An equal number of agencies, including the General Services Administration, the Social Security Administration and the Department of Housing and Urban Development (HUD), scored at least an A-minus.
The grades in the seventh annual report card on federal computer security were released by Tom Davis, ranking member of the House Committee on Oversight and Government reform. The committee each year releases the Federal Computer Security Report Card based on security evaluations defined in FISMA. The evaluations are compiled by the committee based on information provided to Congress each year by the inspector general from each agency.
Asked at a news conference whether the US public should be confident that government agencies are protecting against cyberterrorism, Davis said: "It doesn't give me a lot of confidence."
Davis defended the Department of Homeland Security, which got a "D," saying it is still working to integrate the 22 agencies merged to create it in 2002. The creation of the department was a "horrendous, complicated deal," he said.
"It's a work in progress, and it's going to take some time."
But Davis had no kind words for the Department of Defense. He called it a "badly managed agency" with each military branch focusing on its own technology.
Agencies are rated on issues such as their adherence to security configuration standards, their ability to detect and respond to intrusions, whether they certify and accredit their systems, inventory accuracy and the kind of security training programs they offer employees.
Overall, the government's C-minus performance marks a "slow but steady improvement from past years," said Davis in a statement, pointing to the D-plus and D grades he had given the government over the past three years. "Obviously, challenges remain. But there are some excellent signs of progress in this year's report, and that's encouraging."
Those showing the most improvement in this year's report were the Department of Justice and HUD, both of which jumped from Ds to As. Meanwhile, NASA and the Department of Education showed the biggest declines in security. The space agency dropped from a B-minus to a D-minus; the education department went from a C-minus to an F.
According to Davis, this year's reports show that more agencies are paying attention to issues such as the annual testing of security controls and contingency plans -- and there is much better reporting of security breaches. However, more progress needs to be made in areas such as configuration management and progress measurement, he said.
Though the annual computer security grades are generally perceived as an indication of the security readiness of federal agencies, some have questioned their value and the manner in which the grades are scored.
Alan Paller, director of research at the US SANS Institute, said that while the grades appear to show an overall improvement, at least some of that is likely the result of "a few more agency IGs [inspectors general] deciding it wasn't worth it to give a black eye to their departments" by giving them a poor assessment, he said. "Sometimes it's a crap shoot. If the IG isn't feeling good, [their agency] gets an F."
He also pointed to continuing limitations in how agencies are assessed for security readiness. For example, one of the most important contributors to a good FISMA grade is the level of compliance within an agency to established hardware and software configuration standards, Paller said.
"The way it gets implemented is that the security team puts out a policy that says all computers have to use such-and-such a configuration," he said. But few mechanisms exist within these agencies to enforce or to verify compliance with those requirements, he said. As a result, the data collected by the IGs about compliance with configuration requirements is often incomplete or unreliable.
The results of a survey of 30 federal chief information security officers released today appear to offer divergent views on the value of the FISMA report card. The survey was conducted by a group called the Merlin International Federal Research Consortium (MFRC), which bills itself as a group of IT vendors, including companies such as BMC Software, F5 Networks and Layer 7 Technologies.
According to Merlin, the survey shows that the current report card process appears to disproportionately benefit larger agencies. About 60 percent of CISOs at large agencies say that FISMA reporting provides real insight into the security of their department's IT environment while just 36 percent of CISOs from small agencies concur.
"The findings suggest that the report card is not one-size-fits-all, and that small agencies face different IT security challenges than their larger counterparts," the Merlin report noted. "Based on the CISO feedback, the current report card process does not take these differences into account."
As a result, it might be worth considering a separate evaluation process for smaller federal agencies, the Merlin report said. The study also noted a continuing disconnect between performance on the FISMA report card and its effect on funding. About 79 percent of federal CISOs do not see a link between FISMA grades and overall IT budgets, while 75 percent of CISOs do not see a relationship between FISMA grades and IT security funding.
Grant Gross, of the IDG News Service, contributed to this report.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.