Feds bring home a D+

Security is still a tough assignment

Federal Information Security Management Act 2004 Report to Congress

Related Links

The federal government got a D-plus on its annual security report card from Rep. Tom Davis (R-Va.) this month, even after federal agencies spent $4.2 billion in fiscal 2004 on securing their information systems.

That represents about 7 percent of the value of the federal government’s $59 billion information technology portfolio, according to a new report on security compliance that Office of Management and Budget officials submitted to Congress.

For the first time, agency inspectors general rated agency chief information officers on the quality and quantity of completed certification and accreditation procedures, which are primary measures of agencies’ information security. Among the 24 largest federal agencies, the IGs rated seven, including the Homeland Security and Defense departments, as having poor security procedures.

Speaking at a news conference on the role of IGs under the Federal Information Security Management Act (FISMA) of 2002, Davis said IGs need to standardize their evaluation processes to guarantee that comparisons among agencies are fair.

IGs were the focus of other criticism. Melissa Wojciak, staff director for the House Government Reform Committee, which Davis leads, said the U.S. Agency for International Development received an A on its security report card, but the agency’s IG did not independently review the information that the CIO submitted. “If IGs aren’t doing that,” she said, “they’re ignoring a statutory mandate.”

Wojciak said committee members have sent letters to three agency IGs. “The IGs are as much a part of this process as the CIOs, and if they are not working cooperatively and independently verifying this information, we certainly want to know about it, and we want to ask why.”

Davis said the federal government’s D-plus is not good enough, while announcing that he has created a new forum for federal and private-sector chief information security officers. The educational forum, named CISO Exchange, will hold quarterly meetings for corporate and federal officers to meet and share ideas for improving information systems security practices, as required by FISMA.

Davis named Wojciak and Vance Hitch, the Justice Department’s CIO, as the group’s leaders. “FISMA is about good management practices, and the CISO Exchange will help promote that,” Wojciak said.

The forum will receive no government funding. Stephen O’Keeffe, president of O’Keeffe and Co., a federal IT public relations and events company, will serve as its executive director.

Davis said federal agencies showed progress last year in some areas of compliance with FISMA. But he said they must still make significant improvements.

Federal agencies came up short on providing specialized training for employees who have significant responsibility for government information and information systems, despite spending more than $55 million on security training last year.

The FISMA report to Congress showed significant differences in security training costs across the government. Transportation Department officials, for example, reported spending an average of $7.94 per employee for such training. By contrast, Department of Housing and Urban Development officials said they spent an average of $122.93 per employee. The governmentwide average was $13.33 per employee.

Noting that not all report card news was bad, Davis said DOT, which has 485 systems, got an A-minus after receiving a

D-plus last year. Dan Matthews, DOT’s CIO, said hiring Titan to standardize the department’s security certification and accreditation procedures made the difference.


Security measures show improvement

Office of Management and Budget statistics on federal agencies’ compliance with the Federal Information Security Management Act of 2002 show significant improvement in fiscal 2004. But the positive numbers weren’t enough to raise the D-plus grade Congress gave the federal government on its security report card last month.

The chart below shows the percentage of systems that met certain criteria in fiscal 2003 and 2004:

Established effective security and privacy controls
Fiscal 2003:62%
Fiscal 2004:77%
Factored security into system life cycle costs
Fiscal 2003:77%
Fiscal 2004:85%
Tested security controls
Fiscal 2003:64%
Fiscal 2004:76%
Tested contingency plans
Fiscal 2003:48%
Fiscal 2004:57%

Source: Office of Management and Budget

The Fed 100

Read the profiles of all this year's winners.


  • Then-presidential candidate Donald Trump at a 2016 campaign event. Image: Shutterstock

    'Buy American' order puts procurement in the spotlight

    Some IT contractors are worried that the "buy American" executive order from President Trump could squeeze key innovators out of the market.

  • OMB chief Mick Mulvaney, shown here in as a member of Congress in 2013. (Photo credit Gage Skidmore/Flickr)

    White House taps old policies for new government makeover

    New guidance from OMB advises agencies to use shared services, GWACs and federal schedules for acquisition, and to leverage IT wherever possible in restructuring plans.

  • Shutterstock image (by Everett Historical): aerial of the Pentagon.

    What DOD's next CIO will have to deal with

    It could be months before the Defense Department has a new CIO, and he or she will face a host of organizational and operational challenges from Day One

  • USAF Gen. John Hyten

    General: Cyber Command needs new platform before NSA split

    U.S. Cyber Command should be elevated to a full combatant command as soon as possible, the head of Strategic Command told Congress, but it cannot be separated from the NSA until it has its own cyber platform.

  • Image from Shutterstock.

    DLA goes virtual

    The Defense Logistics Agency is in the midst of an ambitious campaign to eliminate its IT infrastructure and transition to using exclusively shared, hosted and virtual services.

  • Fed 100 logo

    The 2017 Federal 100

    The women and men who make up this year's Fed 100 are proof positive of what one person can make possibile in federal IT. Read on to learn more about each and every winner's accomplishments.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group