Agencies get failing grades in cybersecurity, DHS worst of all

Latest report card from House finds Homeland Security and other security agencies failing badly in meeting FISMA standards.
Written by ZDNet UK, Contributor

Need proof that the agencies charged with fighting terror don't take cybersecurity seriously? Just take a look at the House Government Reform Committee's report card, released today. The Washington Post reports the committee gives the federal government an overall grade of D- with an F for the third straight year to the Dept. of Homeland Security and a slew of other agencies. Other insecure agencies include Agriculture, Defense, Energy, State, Health and Human Services, Transportation, and Veterans Affairs.

A hearing on the report called “No Computer System Left Behind: A Review of the 2005 Federal Computer Security Scorecards” is scheduled for noon today. 

The scores are "unacceptably low," committee Chairman Tom Davis (R-Va.) said in a statement. "DHS must have its house in order and should become a security leader among agencies. What's holding them up?"

The annual report bases the grades on the agencies' internal assessments and information they are required to submit annually to the White House Office of Management and Budget. The letter grades depended on how well agencies met the requirements set out in the Federal Information Security Management Act (FISMA).

According to the SANS Institute, several federal systems are badly compromised, "in part because many agencies do not adequately monitor their systems or apply software security updates in a timely manner," the Post wrote.

FISMA requires agencies to meet a wide variety of computer security standards, ranging from operational details -- such as ensuring proper password management by workers and restricting employee access to sensitive networks and documents -- to creating procedures for reporting security problems.

But SANS' Alan Paller questions whether FISMA compliance is more about paperwork than actual security.

"It turns out that the vast bulk of the federal information security money is spent on documenting these systems, not on securing or testing them against attacks," Paller said. "Most [agencies] are spending so much on the paperwork exercises that they don't have a lot of money left over to fix the problems they've identified."

Not every agency fared so badly, although the ones that improved aren't responsible for national security.

The National Science Foundation and the General Services Administration each saw their scores rise from a C-plus in 2004 to an A last year. The Environmental Protection Agency and the Department of Labor earned A-plus grades in 2005, up from B and B-minus respectively.

Editorial standards