Homeland Security finally transcends F cybersecurity grade

Annual scorecard by congressional panel a mixed bag but gives federal agencies overall a C-minus on information security, up slightly from previous years.
Written by Anne Broache, Contributor
The U.S. Department of Homeland Security received its first-ever nonfailing grade, while the federal government as a whole recorded incremental improvements on an annual computer security report card released Thursday by a congressional committee.

After receiving a grade of F every year since its debut in 2003, Homeland Security managed to pull up its marks to a D in this year's assessment by the U.S. House of Representatives Committee on Government Oversight (PDF).

The department, which has been dogged repeatedly for perceived inattentiveness to cybersecurity issues, scored a full letter grade higher this year. That's in part because it finally put into place an "inventory of its security systems," which is viewed as an important first step in ensuring that agencies know what they need to protect, according to a press release accompanying the report card.

Overall, the federal government's score rose a few points, from a D-plus last year to a C-minus this year. Some agencies--namely the U.S. Department of Justice and the U.S. Department of Housing and Urban Development--saw huge increases in their scores. Justice's grade rose from a D to an A-minus, while HUD's jumped from a D-plus to an A-plus.

"There are some excellent signs of progress in this year's report, and that's encouraging," Rep. Tom Davis (R-Va.), the committee's co-chairman, said in a statement.

But the news wasn't all good. NASA, by contrast, saw its scores plummet from B-minus to D-minus, and the Department of Education fell from a C-minus to an F. In addition to Education, seven more agencies, including the Departments of Commerce, Defense, State and Treasury, all received failing grades.

That news drew concern from Rep. Mike Turner (R-Ohio), chairman of a House subcommittee that deals with government information security issues. He lamented in a statement that "some of the agencies with the most sensitive information continue to score poorly on this."

The scores are based on reports from agencies about their compliance with a federal law known as the Federal Information Security Management Act of 2002. Known as FISMA for short, it established a broad framework of requirements, such as devising an information security program, keeping an inventory of systems, training personnel and contractors in security "awareness," evaluating the effectiveness of its program periodically, and making changes as necessary.

Davis said he is considering offering "bonus points" in next year's scores to agencies that effectively set up new systems, such as Microsoft's Windows Vista, in a secure fashion. The President's Office of Management and Budget recently issued a directive that orders federal agencies to adopt standard security configurations for both Windows XP and Vista by February 1.

Some security experts have publicly questioned the value of the FISMA measurements, but one such critic said he was encouraged by the incentive idea. Alan Paller, director of research for the SANS Institute, which offers cybersecurity training seminars, said the new approach "could have a profound effect" on the feds' readiness to fend off cyberattacks.

Liz Gasster, acting executive director of the Cybersecurity Industry Alliance, whose members include RSA and Symantec, said her organization was somewhat encouraged by the ratings but believes more work must be done. "While FISMA is an important first step in providing heightened information security awareness for agencies," she said, "there are not nearly enough consequences for those agencies who fail to comply."

Editorial standards