Government gets a collective F for its IT security

Government gets a collective F for its IT security

Security does not measure up

Source: House Government Reform Subcommittee on Government Efficiency, Financial Management and Intergovernmental Relations

The government's overall grade for IT security fell from a D- to an F this year, according to a congressional report card released earlier this month.

Individual grades also fell for most of the 24 executive branch agencies evaluated by the House Government Reform Subcommittee on Government Efficiency, Financial Management and Intergovernmental Relations.

Sixteen of the agencies, including the De-fense Department, got failing grades. Five agencies received Ds and two, Cs. The National Science Foundation got the highest grade, a B+.

Chairman Steve Horn (R-Calif.) called on the president to take heed of what he called a sobering assessment.

'All of us in Congress are well aware that the nation is in a state of war,' Horn said.

The evaluation gave the first glimpse of security reports required under last year's Government Information Security Reform Act, now being reviewed by the Office of Management and Budget.

Agencies must submit annual self-evaluations with their budget requests, documenting how security planning and funding are integrated into project life cycles.

OMB provided raw data from the reports to Horn's subcommittee, which also used information from the General Accounting Office and agency inspector general audits.

GAO found 'continuing pervasive weaknesses' in IT security, said Robert F. Dacey, director of information security issues.

Mark Forman, OMB's associate director of IT and e-government, said the office would release its own report on GISRA data along with the president's fiscal 2003 budget proposal.

Despite the low grades, Forman said some agencies appeared to be graded too leniently in the report card. But he disputed the negative assessment of DOD systems.

'We see the Defense Department as operating at a significantly higher level of security than [the] rating suggests,' he said.

Forman said OMB would use its control over purse strings to enforce security in the fiscal 2002 and 2003 budgets.

'We are going to stop funding for any project that does not adequately address security requirements,' he said.

The strength of GISRA, he said, is that it 'highlights the reality that when security funding and implementation are separated from the operational program, program officials and users begin to ignore it.'

Grades were determined by a weighted 100-point scale based on information re-quired on GISRA reports as well as other areas examined in GAO and IG audits. An agency had to score at least 90 points to get an A, 80 for a B, 70 for a C and 60 for a D.

Forman said OMB is using the initial GISRA reports to establish a baseline for government security evaluations. He said there was considerable variation in the quality and completeness of information provided.

'This is the best set of information we have had,' he said, but 'we want more.'

Alan Paller, director of the SANS Institute of Bethesda, Md., said the evaluations were limited in scope.

'All the scoring is of the planning phase,' he said. 'There is no scoring of execution.'

But based on the relative rankings of agencies, there probably is a correlation between planning and output, Paller said. NASA, one of the few agencies with a system for measuring its security level, got one of the higher scores, a C-.

'I'm a fan of GISRA,' Paller said. 'I think it's working' because it is making agency heads focus on security. 'To do what NASA did takes senior management attention, but it doesn't take a lot of money.'

Not a money problem

Forman agreed that security is not a money problem. 'A high dollar figure says little about how effective security might be,' he said. 'We don't believe that adding more money will solve the problem. Money is not the issue. Focus is, and details.'

Not everyone agreed.

'I'm not convinced that Forman is right,' said Harris N. Miller, president of the Information Technology Association of America in Arlington, Va. 'The bottom line is money. Agencies simply do not have the funding available in their current budgets.'

He said that in private, CIOs complain they do not have the money for the technology, people and planning required to improve security. Without increased funding, results next year will be the same, Miller said.

About the Author

William Jackson is freelance writer and the author of the CyberEye blog.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above