Feds bring home a D+

Security is still a tough assignment

Federal Information Security Management Act 2004 Report to Congress

Related Links

The federal government got a D-plus on its annual security report card from Rep. Tom Davis (R-Va.) this month, even after federal agencies spent $4.2 billion in fiscal 2004 on securing their information systems.

That represents about 7 percent of the value of the federal government’s $59 billion information technology portfolio, according to a new report on security compliance that Office of Management and Budget officials submitted to Congress.

For the first time, agency inspectors general rated agency chief information officers on the quality and quantity of completed certification and accreditation procedures, which are primary measures of agencies’ information security. Among the 24 largest federal agencies, the IGs rated seven, including the Homeland Security and Defense departments, as having poor security procedures.

Speaking at a news conference on the role of IGs under the Federal Information Security Management Act (FISMA) of 2002, Davis said IGs need to standardize their evaluation processes to guarantee that comparisons among agencies are fair.

IGs were the focus of other criticism. Melissa Wojciak, staff director for the House Government Reform Committee, which Davis leads, said the U.S. Agency for International Development received an A on its security report card, but the agency’s IG did not independently review the information that the CIO submitted. “If IGs aren’t doing that,” she said, “they’re ignoring a statutory mandate.”

Wojciak said committee members have sent letters to three agency IGs. “The IGs are as much a part of this process as the CIOs, and if they are not working cooperatively and independently verifying this information, we certainly want to know about it, and we want to ask why.”

Davis said the federal government’s D-plus is not good enough, while announcing that he has created a new forum for federal and private-sector chief information security officers. The educational forum, named CISO Exchange, will hold quarterly meetings for corporate and federal officers to meet and share ideas for improving information systems security practices, as required by FISMA.

Davis named Wojciak and Vance Hitch, the Justice Department’s CIO, as the group’s leaders. “FISMA is about good management practices, and the CISO Exchange will help promote that,” Wojciak said.

The forum will receive no government funding. Stephen O’Keeffe, president of O’Keeffe and Co., a federal IT public relations and events company, will serve as its executive director.

Davis said federal agencies showed progress last year in some areas of compliance with FISMA. But he said they must still make significant improvements.

Federal agencies came up short on providing specialized training for employees who have significant responsibility for government information and information systems, despite spending more than $55 million on security training last year.

The FISMA report to Congress showed significant differences in security training costs across the government. Transportation Department officials, for example, reported spending an average of $7.94 per employee for such training. By contrast, Department of Housing and Urban Development officials said they spent an average of $122.93 per employee. The governmentwide average was $13.33 per employee.

Noting that not all report card news was bad, Davis said DOT, which has 485 systems, got an A-minus after receiving a

D-plus last year. Dan Matthews, DOT’s CIO, said hiring Titan to standardize the department’s security certification and accreditation procedures made the difference.


Security measures show improvement

Office of Management and Budget statistics on federal agencies’ compliance with the Federal Information Security Management Act of 2002 show significant improvement in fiscal 2004. But the positive numbers weren’t enough to raise the D-plus grade Congress gave the federal government on its security report card last month.

The chart below shows the percentage of systems that met certain criteria in fiscal 2003 and 2004:

Established effective security and privacy controls
Fiscal 2003:62%
Fiscal 2004:77%
Factored security into system life cycle costs
Fiscal 2003:77%
Fiscal 2004:85%
Tested security controls
Fiscal 2003:64%
Fiscal 2004:76%
Tested contingency plans
Fiscal 2003:48%
Fiscal 2004:57%

Source: Office of Management and Budget

FCW in Print

In the latest issue: Looking back on three decades of big stories in federal IT.


  • Anne Rung -- Commerce Department Photo

    Exit interview with Anne Rung

    The government's departing top acquisition official said she leaves behind a solid foundation on which to build more effective and efficient federal IT.

  • Charles Phalen

    Administration appoints first head of NBIB

    The National Background Investigations Bureau announced the appointment of its first director as the agency prepares to take over processing government background checks.

  • Sen. James Lankford (R-Okla.)

    Senator: Rigid hiring process pushes millennials from federal work

    Sen. James Lankford (R-Okla.) said agencies are missing out on younger workers because of the government's rigidity, particularly its protracted hiring process.

  • FCW @ 30 GPS

    FCW @ 30

    Since 1987, FCW has covered it all -- the major contracts, the disruptive technologies, the picayune scandals and the many, many people who make federal IT function. Here's a look back at six of the most significant stories.

  • Shutterstock image.

    A 'minibus' appropriations package could be in the cards

    A short-term funding bill is expected by Sept. 30 to keep the federal government operating through early December, but after that the options get more complicated.

  • Defense Secretary Ash Carter speaks at the TechCrunch Disrupt conference in San Francisco

    DOD launches new tech hub in Austin

    The DOD is opening a new Defense Innovation Unit Experimental office in Austin, Texas, while Congress debates legislation that could defund DIUx.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group