Feds get C- security grade but Defense fails, DHS gets a D

The conventional wisdom is that the federal government deserves failing grades for computer security. After all, the big VA breach of a year ago has been followed by many more stories of agencies losing computers, suffering data breaches and failing to encrypt sensitive data. Today a House committee handed out security report cards for all federal agencies, The Washington Post reports.

The good news is that, overall, the feds aren't failing: The average grade is C-minus. The bad news is that many agencies with critical systems have indeed earned Fs: the departments of Defense, Agriculture, Commerce, Education, Interior, State and Treasury, as well as the Nuclear Regulatory Commission.

Not much better: the Department of Homeland Security earned a D, an improvement since 2005.

C-minus is better than last year's D-minus, but note this negative trend: nine agencies earned lower scores than they did the previous year, with some falling behind considerably. NASA went from B-minus to D-minus. An Education went from C-minus to F.

So who gets the As? The Agency for International Development, Environmental Protection Agency, General Services Administration, the departments of Justice (!) and Housing and Urban Development, the National Science Foundation, the Office of Personnel Management, and the Social Security Administration.

The grades were based on the agencies' internal assessments and information they are required to submit annually to the White House Office of Management and Budget. The letter grades depended on how well agencies met the requirements detailed in the Federal Information Security Management Act, which requires agencies to meet a wide variety of computer security standards.

Critics of the process have called the annual FISMA reports more of a paperwork exercise than an accurate representation of the security of federal agencies' computers and networks. They say the reports do not require or give agencies credit for taking certain types of security precautions, such as penetration tests to locate gaps in security defenses.

That criticism has some weight with Alan Paller, director of research for the SANS Institute, a security training group.

"Shifting even half the money from report writing to actual security improvements could enable the government to lead by example in cyber security and provide the critical mass of incentive to integrators and system and software vendors to bake security into every product they sell," Paller said.