The US government has received an overall grade of C- on an annual IT security report card issued by Republican Tom Davis. That was a slight improvement from the D+ grades handed out for the two previous years, but eight agencies got failing marks -- the same number as last year.
The agencies at the bottom of the report card included the departments of Defense, State, the Interior and the Treasury, as well as the Nuclear Regulatory Commission. It was the second straight F grade for the Defense, State and Interior departments. Meanwhile, the Department of Homeland Security received a D, up one grade from an F a year ago.
Karen Evans, administrator of e-government and IT at the White House Office of Management and Budget, said at a press conference that she was encouraged by the improvement in the overall security grade but not satisfied with the results. "I would not accept a C- on my kids' report cards," Evans said. "Average is not good enough."
The grades are based on reports compiled annually by the agencies' inspectors general to comply with the requirements of the Federal Information Security Management Act, which Davis authored. The FISMA reports submitted for 2006 show that more agencies are testing their security controls and contingency plans and that the reporting of security breaches has "increased dramatically," said Davis, who is the ranking minority member on the House Committee on Oversight and Government Reform.
However, Davis said more improvements need to be made in areas such as secure systems configuration and the development of effective security plans, as well as establishing milestones for measuring the progress of the plans.
Not everyone is convinced, though, that the FISMA-based report card provides a clear picture of the security posture within federal agencies.
Avoiding a black eye Alan Paller, director of research at the US-based SANS Institute, said that although the grades for 2006 appear to show an overall improvement, at least some of the gains likely are the result of "a few more agency [inspectors general] deciding it wasn't worth it to give a black eye to their departments" by issuing a poor assessment of their security practices.
Paller also pointed to continuing limitations in how agencies are assessed for security readiness. For example, one of the most important contributors to a good FISMA grade is the level of compliance within an agency to hardware and software configuration standards established by its information security team.
But few agencies have mechanisms for enforcing or verifying compliance with those requirements, Paller said. As a result, he said, the data that gets collected is often incomplete or unreliable.
The results of a recent survey of 30 federal chief information security officers also offered divergent views on the value of the FISMA report card.
The survey was conducted last month by the Merlin International Federal Research Consortium, a group of IT vendors led by Merlin International. According to the consortium, about 60 percent of the CISOs at large agencies -- those with more than 10,000 employees -- said that FISMA reporting provides real insight into the security of their IT environments. Just 36 percent of their counterparts at small agencies concurred, Merlin said.
"The question is whether complying with FISMA regulations is really making agencies any more secure," said Mark Zaluba, Merlin International's chief technology officer. A danger with any such grading system is that it can induce agencies to "teach to the test" and show compliance without really improving security, he added.
Chris Fountain, CEO of security services provider SecureInfo, said the FISMA report card has helped elevate awareness about IT security issues inside federal agencies.
But the grades agencies get are far too dependent on qualitative input instead of hard metrics such as vulnerability assessments and network penetration tests, Fountain said.
"You can't correlate between the grade an agency receives and the true level of security within that agency," he said. "Just because an organization isn't good at showing compliance [with FISMA], it doesn't mean they are bad."
Eight agencies scored an A- or above on the new report card, matching the number with failing grades. The biggest improvements were at the Department of Justice, which jumped from a D to an A-, and the Department of Housing and Urban Development, which went from a D+ to an A+.
Meanwhile, NASA and the Department of Education had the largest drop-offs. The space agency fell from a B- to a D-, and the Department of Education dropped from a C- to an F. The Department of Agriculture was given an F for the fourth straight year and had the lowest score overall -- 29.5 out of 100 points.
The Department of Veterans Affairs, which got an F last year and then suffered a massive data breach when a laptop PC was stolen from an employee's home last May, didn't receive a grade this year because it has yet to file a FISMA report for 2006.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.