Uncle Sam gets 'D-Plus' on cyber security

March 8, 2005


he Department of Homeland Security led a list of seven agencies that received flunking grades for their cyber security efforts in 2004, with the federal government at large earning an overall grade of "D-plus" from a key congressional oversight committee. For the fifth straight year, at least half of all federal agencies received a grade of "D" or worse on the House Government Reform Committee's annual cyber security report card.

Agencies that received failing marks include the departments of Agriculture, Commerce, Energy, Health and Human Services, Housing and Urban Development, and Veterans Affairs. A grade of "D" was awarded to the departments of Defense and Treasury, as well as the National Aeronautics and Space Administration and the Small Business Administration.

The grades were based on internal assessments by the agencies and evaluations by the White House Office of Management and Budget. Agencies were graded on how well they met the requirements set out in the Federal Information Security Management Act (FISMA). The law requires agencies to meet a wide variety of computer security standards, ranging from operational details -- such as ensuring proper password management by workers and restricting employee access to sensitive networks and documents -- to creating procedures for reporting security problems. This year's overall grade of "D-plus" was up slightly from last year's "D" and the "F" grade Uncle Sam earned on the report card in 2002.Committee Chairman Tom Davis (R-Va.) said he was encouraged by the fact that 10 agencies improved their scores over 2003, increasing the overall governmentwide grade by 2.5 points this year. But he chided agencies for not moving fast enough."I hope it won't take some kind of major cyber attack to wake everybody up," Davis said.Eight agencies earned lower grades for 2004. The departments of Commerce and Veterans Affairs saw their marks drop from a "C" two years ago to an "F" in 2004.One explanation for the lower grades, according to Dennis Heretick, the chief information security officer for the Justice Department, is that agencies were required to meet new standards last year that were not evaluated in past report cards, such as determining how frequently agencies applied software patches to fix known computer security flaws.Several agencies made significant gains in 2004. The Department of Justice, for example, increased its score from an "F" in 2003 to a "B-minus" last year. The U.S. Agency for International Development earned an "A-plus" -- up from a "C-minus" in 2003 -- though the agency was among three this year that failed to submit its internal assessment for an independent evaluation.The Department of Transportation elevated its grade from a "D-plus" in 2003 to an "A-minus" last year, an increase that department chief information officer Dan Matthews attributed to high-level attention to computer security issues."One should never underestimate the power of [DOT Secretary Norman Mineta] telling the staff that he wants to make this happen," Matthews said. "I don't think there are a lot of agencies that do have the CIO talking to the secretary on a near daily basis."Fifteen federal information security officers said establishing enforceable internal computer security policies was the key driver in improving their agencies' cyber security grades, according to a phone survey conducted by Telos Corp., a government technology contractor. Thirty out of 117 federal chief information security officers were contacted for the survey, results of which were released today in conjunction with the cyber security report cards.Some computer security experts expressed concern that the annual report cards amount to little more than a bureaucratic exercise. For years, lawmakers in Congress have warned federal agency leaders that they would slash funding for technology projects that fail to meet basic computer security requirements. But despite such threats, agency funding has remained unaffected by high or low grades on the computer security report cards, according federal security officers contacted for the Telos survey. "If there are no incentives for agencies to comply with FISMA requirements, what is the point?" said Richard P. Tracy, chief security officer for Telos.Amit Yoran, a former high-ranking cyber-security official in the Bush administration, said the report cards sometimes don't completely measure all the steps agencies have taken to improve security."This is more an audit of agency paperwork than it is jacking into the networks and looking at the systems and actual performance of an agency's security technologies," Yoran said. "That said, it is clear that the government is not at a level it needs to be in protecting its own systems."Rep. Davis said cutting technology budgets for agencies that fail to improve their cyber security grade could prove counterproductive. But he said he plans to examine ways to amend the current law so that agencies that show marked improvements are rewarded for their progress."We'd like to make sure FISMA doesn't become a paperwork exercise where agencies comply with the letter of the law but not the spirit of it," he said.