Latest cybersecurity report card finds few agencies made the grade

Although the government's overall grade was better than in 2002, individual improvements are still too slow, Rep. Adam Putnam says.

Henrik G. de Gyor

Fourteen agencies improved their grades in cybersecurity, but the government's overall score was a D, according to the latest congressional report card.

Although the overall grade was better than the F the government received in 2002, improvement is still too slow, said Rep. Adam Putnam, chairman of the House Government Reform Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census. The Florida Republican promised several steps to jump-start improvements in cybersecurity.

Fourteen of the major 24 agencies' grades were below a C, and eight flunked.

'We must do more and [do it] quicker if we are going to protect ourselves from a potential digital disaster,' Putnam said. 'There are substantial material weaknesses that expose agencies to potential cyberattacks. The damage that could be inflicted, both in terms of financial loss and potentially loss of life, is considerable.'

One issue is money, and Putnam said he would inform the House Appropriations Committee of the importance of adequate funding for information security.

Putnam also said his subcommittee would meet with CIOs to improve cybersecurity plans.

'We want to see specific remediation plans. We will encourage those who have done well to share their experiences'how they went from a D- to an A,' he said. 'I'd like to go to the CIO Council and have a candid dialogue.'

The subcommittee plans to hold a hearing in early March after the Office of Management and Budget releases its report on cybersecurity.

The subcommittee found that the agencies that performed well had five factors in common:
  • Complete inventories of critical IT assets

  • Thorough listings of critical infrastructure and mission-critical systems

  • Strong incident identification and reporting procedures

  • Tight controls over contractors

  • Strong plans for finding and eliminating security problems.

Inventories needed

Putnam said he was particularly troubled by the fact that only five agencies have done full inventories of their critical IT, a requirement of the Federal Information Security Management Act. He acknowledged that the report card results could be flawed slightly because the majority of grades are based on those incomplete inventories.

'We're four years into this, and only five agencies know what [IT assets] they have. It's disturbing,' he said. 'It does call into question everything else they are reporting.'

Agencies' scores are based on separate fiscal 2003 reports to OMB by agencies and their inspectors general. FISMA requires annual IT security reviews, reports and remediation.

The lack of independent reports from three agencies' IGs further calls into question the scorecard results, noted a subcommittee outline of the grading methodology.

Scores for the Defense, Treasury and Veterans Affairs departments 'may not reflect the same accuracy as the scores of the other 21 agencies, whose scores are based on more objective reporting,' the subcommittee said.

The Treasury IG for tax administration did submit a report to OMB about the IRS, which runs about 80 percent of the department's IT systems, the report card said.

Some agencies' grades jumped significantly, while others' stood still. For the first time in the four years since former Rep. Stephen Horn (R-Calif.) began grading agency security initiatives, two agencies got As. The Nuclear Regulatory Commission's grade jumped from a C to an A, and the National Science Foundation's grade went from a D- to an A-.

But the Energy, Justice, Housing and Urban Development, Interior, and State departments retained their failing grades. Two agencies' grades fell from 2002: NASA from a D+ to a D-, and the Health and Human Services Department from a D- to an F.

The Homeland Security Department got an F in its first year on the scorecard. Various component agencies of the new department previously had received low scores.

'We recognize the difficult reorganization that took place, and we expect significant improvement next year,' Putnam said about Homeland Security.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above