Anti-terrorism agencies get lowest grades
Davis chastises federal agencies for shortsighted attitudes toward FISMA
Weaknesses and inconsistencies in agencies’ security management practices have left dangerous holes in critical infrastructures, according to the latest assessment of federal agencies’ compliance with the Federal Information Security Management Act. In light of continual low scores on information security, some security experts and congressional leaders say federal agencies must take FISMA requirements more seriously.
Nearly all federal agencies operate automated systems and electronic data, congressional auditors said at a recent hearing on FISMA grades. Without those assets, agencies would likely be unable to gauge resources and pursue their missions. People could steal federal payments, launch attacks on connected computer systems or abuse sensitive information about citizens. “Hence, the degree of risk caused by security weaknesses is high,” Government Accountability Office auditors wrote in their new report on FISMA compliance.
Federal agencies average a D-plus on the 2005 computer security report cards from the House Government Reform Committee, the same as the 2004 average grade.
Notably, agencies whose missions include homeland security received failing grades.
“For most people, this is an abstract, inside-the-Beltway issue,” said Rep. Tom Davis (R-Va.), the committee’s chairman, at a March 16 hearing held to announce the 2005 grades. “FISMA is still viewed by some federal agencies as a paperwork exercise, but these are shortsighted observations.”
Davis singled out agencies with failing grades. “If FISMA was the No Child Left Behind Act, a lot of critical agencies would be on the list of ‘low performers,’ ” he said. “The scores for the departments of Defense, Homeland Security, Justice, State — the agencies on the front lines in the war on terrorism — remained unacceptably low or dropped precipitously.”
Agencies made improvements in developing configuration management plans, training security employees, developing and maintaining an inventory, certifying and accrediting systems, and testing, Davis said. Nevertheless, the committee still has concerns, he said.
GAO auditors found that none of the 24 major agencies that receive FISMA grades have agencywide information security programs, which FISMA requires. Agencies do not adequately assess risks or develop risk-based policies or procedures for securing information. Many agencies still do not have complete inventories of their major information systems, GAO reported.
Chief information officers at two agencies that demonstrated consistent improvements in information security — the Social Security Administration and the Labor Department — testified before the Government Reform Committee about best practices.
SSA has always emphasized security, and much of its success is because of senior managers’ strong backing of FISMA requirements, said Thomas Hughes, SSA’s CIO. The agency received an A-plus for 2005, up from last year’s B.
Thomas Wiesner, Labor’s deputy CIO, said strong support from all levels of management helps the agency strengthen security. “Security is integrated into every IT project,” he added.
Lawmakers focused on the low-scoring agencies, too. DHS remained level with its 2004 grade of F. Defense slid from a D to an F, Justice dropped from a B-minus to a D, and State fell from a D-plus to an F.
Gregory Wilshusen, director of information security issues at GAO, said securing large, diverse departments is tough, especially when agencies merge, as in the case of DHS.
After the hearing, Scott Charbo, DHS’ CIO, said 26 percent of the department’s major systems were certified five months ago, and now 62 percent are certified. That is significant progress, he said.
At a committee hearing in 2005, Steve Cooper, DHS’ former CIO who is now CIO at the Red Cross, said the department had procedures in place that would enable it to earn a respectable grade by 2006. “We are absolutely on track to succeed,” he said.
The House committee tallied the departments’ scores on the basis of its analysis of responses from agency CIOs and agency IGs to the annual IT security reviews of their systems and programs. The weighted scores are based on the Office of Management and Budget’s performance metrics. A perfect score is 100.
Davis said it is difficult to encourage lawmakers’ to take an interest in the FISMA report. At the March 16 hearing, only five of the 40 committee members attended.