Interior uses new yardstick to gauge security progress

CIO W. Hord Tipton, says Interior expects to get an improved security rating from congressional reviewers this year.

Henrik G. de Gyor

Part of the reason, Interior's Roger Mahach says, is that it has taken into account the many aspects of security'people, processes, technology and IT maturity.

At the Interior Department, officials have developed a new evaluation format for IT security.

Many questions about Interior's security remain unanswered, however, and plaintiffs in a suit against Interior over American Indian trust asset management maintain that the department's IT security is still poor.

Interior's new IT security scorecard is part of an overall upgrade that was accelerated as a result of critical reports.

The scorecard is based on the red-yellow-green stoplight ratings used for the President's Management Agenda, but it includes several dimensions of systems security rather than the simple accredited-nonaccredited criterion mandated by the Federal Information Security Management Act.

CIO W. Hord Tipton and Roger Mahach, the department's IT security manager, said all 12 Interior bureaus and offices have reached the yellow, or 70 percent, level of IT security.

Moving up

'The thing that makes us proud is that two to three years ago, we were tied for last' in the scoring method used by the Government Reform Subcommittee on IT, Information Policy, Intergovernmental Relations and the Census, Tipton said.

In 2000, the subcommittee rated Interior at 17 percent, but this year Tipton expects 80 percent.

Mahach said that IT security rating 'cannot be a binary yes or no,' as the certification and accreditation process suggests. 'There are a lot of different aspects,' he said, 'and we are capturing all of them, including people, process, technology and maturity of the systems.'

Tipton said all Interior bureaus got a green score for network hardening. Interior IT specialists had identified about 1,000 vulnerabilities in January but brought that figure down to six.

'If you ask the Office of Management and Budget what our scorecard rating is, it would be red, because the systems are not certified and accredited,' Tipton said. But according to Interior's own rating, its bureaus fall in the yellow zone.

Interior has created an incident response center that operates around the clock. It plans to create a similar watch center to oversee its networks by September.

But some of the department's critics aren't satisfied. 'We have never seen a competent justification on what they have done on IT security, and we haven't seen any evidence that they have improved,' said Dennis Gingold, lead counsel for the plaintiffs in the 7-year-old Cobell vs. Norton litigation.

Interior's inspector general reported recently that the department's 'overall security program does not demonstrate that all information systems supporting its operations and assets are adequately protected.'

But the IG went on to say that over the past two years Interior has made progress 'in strengthening its IT security ... and has established security processes and documentation for its Indian Trust systems' that are better than most of its other systems.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above