Federal IT security barely passes muster
Federal IT security barely passes muster
By Tony Lee Orr
Congress this month took a cattle prod to agencies on systems security, giving the government a D minus for its efforts overall.
'No one was paying much attention to the Y2K problem until we began issuing report cards, grading federal agencies on their progress and preparing for the date change,' Rep. Steve Horn (R-Calif.) said last week.
Most agencies this month received barely passing grades on their security efforts; more than a half-dozen garnered failing marks.
Horn, chairman of the House Government Reform Subcommittee on Government Management, Information and Technology, said he hopes the grades spur the agencies to action, the way his earlier date code marks did.
'Those [year 2000] grades got the agencies' attention, and they went to work on the problem'no one wants a failing grade,' he said. 'That same type of effort must now be focused on protecting government computers from unauthorized attempts to access or disrupt them.'
Although some federal officials decried the use of the grading process for security and said it could worry citizens, they agreed there is room for improvement in how the government ensures the privacy and integrity of its electronic stockpile of information.
The subcommittee based its grades on questionnaires completed by agencies' officials; it also took into account reports from the General Accounting Office and inspectors general.
Agencies were first assigned a score based strictly on the questionnaire answers. The scores were reduced'up to 20 points'based on the GAO and IG audits.
The Social Security Administration scored highest, receiving a B. The National Science Foundation made the second highest grade, a B minus.Less than stellar
Only five agencies made average grades of C; six agencies barely passed with D or D minus grades. Seven agencies flunked. The subcommittee decided the information was not complete enough to rate four agencies, including the Energy Department and the Nuclear Regulatory Commission.
DOE, which scored 98 percent based on its questionnaire response, has suffered a number of embarrassing security problems of late. NRC, which made a 95 based on its answers, typically scores well on security reviews.
SSA, which received a 100 on its questionnaire responses, scored well because it embraced the computer security issue earlier than most, testified John R. Dyer, SSA's chief information officer. The agency reacted to the issue much as it did to the year 2000 problem, he said.
Now, each modification to Social Security systems or applications is reviewed with security in mind, Dyer said.
The Interior Department scored the lowest: it received a 37 on the questionnaire response and was downgraded to a 17 after review of GAO and IG materials.
Some within government said the grading process does not accurately reflect security success stories within agencies. The same assertions were common when Horn quarterly issued the year 2000 grades.
'The departments were candid in the sense of the grades,' Sally Katzen, deputy director for management for the Office of Management and Budget, told the subcommittee during a separate hearing. 'They were given no credit for what they were doing.'
The amount of security needed must be commensurate with the value of the data at risk, she said.
The Defense Department, which garnered a D plus, should be held to a higher standard than a civilian agency, such as the Commerce Department, which received a C minus, she said. Scored on the questionnaire alone, DOD would have made 89 percent; Commerce would have walked away with a 92.Set standards
To help agencies meet security needs, the CIO Council is developing a rating structure to gauge adherence to standards.'It will be similar to the Capability Maturity Model created by Carnegie Mellon University to rate an organization's software development strength.
The council expects to finish its security model next month,former Energy Department CIO John Gilligan said.
Gilligan, who left his post at Energy this month for an Air Force position, also noted that the grading system might be unfair.