Feds bring home a D+

Security is still a tough assignment

Federal Information Security Management Act 2004 Report to Congress

Related Links

The federal government got a D-plus on its annual security report card from Rep. Tom Davis (R-Va.) this month, even after federal agencies spent $4.2 billion in fiscal 2004 on securing their information systems.

That represents about 7 percent of the value of the federal government’s $59 billion information technology portfolio, according to a new report on security compliance that Office of Management and Budget officials submitted to Congress.

For the first time, agency inspectors general rated agency chief information officers on the quality and quantity of completed certification and accreditation procedures, which are primary measures of agencies’ information security. Among the 24 largest federal agencies, the IGs rated seven, including the Homeland Security and Defense departments, as having poor security procedures.

Speaking at a news conference on the role of IGs under the Federal Information Security Management Act (FISMA) of 2002, Davis said IGs need to standardize their evaluation processes to guarantee that comparisons among agencies are fair.

IGs were the focus of other criticism. Melissa Wojciak, staff director for the House Government Reform Committee, which Davis leads, said the U.S. Agency for International Development received an A on its security report card, but the agency’s IG did not independently review the information that the CIO submitted. “If IGs aren’t doing that,” she said, “they’re ignoring a statutory mandate.”

Wojciak said committee members have sent letters to three agency IGs. “The IGs are as much a part of this process as the CIOs, and if they are not working cooperatively and independently verifying this information, we certainly want to know about it, and we want to ask why.”

Davis said the federal government’s D-plus is not good enough, while announcing that he has created a new forum for federal and private-sector chief information security officers. The educational forum, named CISO Exchange, will hold quarterly meetings for corporate and federal officers to meet and share ideas for improving information systems security practices, as required by FISMA.

Davis named Wojciak and Vance Hitch, the Justice Department’s CIO, as the group’s leaders. “FISMA is about good management practices, and the CISO Exchange will help promote that,” Wojciak said.

The forum will receive no government funding. Stephen O’Keeffe, president of O’Keeffe and Co., a federal IT public relations and events company, will serve as its executive director.

Davis said federal agencies showed progress last year in some areas of compliance with FISMA. But he said they must still make significant improvements.

Federal agencies came up short on providing specialized training for employees who have significant responsibility for government information and information systems, despite spending more than $55 million on security training last year.

The FISMA report to Congress showed significant differences in security training costs across the government. Transportation Department officials, for example, reported spending an average of $7.94 per employee for such training. By contrast, Department of Housing and Urban Development officials said they spent an average of $122.93 per employee. The governmentwide average was $13.33 per employee.

Noting that not all report card news was bad, Davis said DOT, which has 485 systems, got an A-minus after receiving a

D-plus last year. Dan Matthews, DOT’s CIO, said hiring Titan to standardize the department’s security certification and accreditation procedures made the difference.


**********

Security measures show improvement

Office of Management and Budget statistics on federal agencies’ compliance with the Federal Information Security Management Act of 2002 show significant improvement in fiscal 2004. But the positive numbers weren’t enough to raise the D-plus grade Congress gave the federal government on its security report card last month.

The chart below shows the percentage of systems that met certain criteria in fiscal 2003 and 2004:

Established effective security and privacy controls
Fiscal 2003:62%
Fiscal 2004:77%
Factored security into system life cycle costs
Fiscal 2003:77%
Fiscal 2004:85%
Tested security controls
Fiscal 2003:64%
Fiscal 2004:76%
Tested contingency plans
Fiscal 2003:48%
Fiscal 2004:57%

Source: Office of Management and Budget

The 2014 Federal 100

FCW is very pleased to profile the women and men who make up this year's Fed 100. 

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above