Anti-terrorism agencies get lowest grades

Davis chastises federal agencies for shortsighted attitudes toward FISMA

Weaknesses and inconsistencies in agencies’ security management practices have left dangerous holes in critical infrastructures, according to the latest assessment of federal agencies’ compliance with the Federal Information Security Management Act. In light of continual low scores on information security, some security experts and congressional leaders say federal agencies must take FISMA requirements more seriously.

Nearly all federal agencies operate automated systems and electronic data, congressional auditors said at a recent hearing on FISMA grades. Without those assets, agencies would likely be unable to gauge resources and pursue their missions. People could steal federal payments, launch attacks on connected computer systems or abuse sensitive information about citizens. “Hence, the degree of risk caused by security weaknesses is high,” Government Accountability Office auditors wrote in their new report on FISMA compliance.

Federal agencies average a D-plus on the 2005 computer security report cards from the House Government Reform Committee, the same as the 2004 average grade.

Notably, agencies whose missions include homeland security received failing grades. “For most people, this is an abstract, inside-the-Beltway issue,” said Rep. Tom Davis (R-Va.), the committee’s chairman, at a March 16 hearing held to announce the 2005 grades. “FISMA is still viewed by some federal agencies as a paperwork exercise, but these are shortsighted observations.”

Davis singled out agencies with failing grades. “If FISMA was the No Child Left Behind Act, a lot of critical agencies would be on the list of ‘low performers,’ ” he said. “The scores for the departments of Defense, Homeland Security, Justice, State — the agencies on the front lines in the war on terrorism — remained unacceptably low or dropped precipitously.”

Agencies made improvements in developing configuration management plans, training security employees, developing and maintaining an inventory, certifying and accrediting systems, and testing, Davis said. Nevertheless, the committee still has concerns, he said.

GAO auditors found that none of the 24 major agencies that receive FISMA grades have agencywide information security programs, which FISMA requires. Agencies do not adequately assess risks or develop risk-based policies or procedures for securing information. Many agencies still do not have complete inventories of their major information systems, GAO reported.

Chief information officers at two agencies that demonstrated consistent improvements in information security — the Social Security Administration and the Labor Department — testified before the Government Reform Committee about best practices.

SSA has always emphasized security, and much of its success is because of senior managers’ strong backing of FISMA requirements, said Thomas Hughes, SSA’s CIO. The agency received an A-plus for 2005, up from last year’s B.

Thomas Wiesner, Labor’s deputy CIO, said strong support from all levels of management helps the agency strengthen security. “Security is integrated into every IT project,” he added.

Lawmakers focused on the low-scoring agencies, too. DHS remained level with its 2004 grade of F. Defense slid from a D to an F, Justice dropped from a B-minus to a D, and State fell from a D-plus to an F.

Gregory Wilshusen, director of information security issues at GAO, said securing large, diverse departments is tough, especially when agencies merge, as in the case of DHS.

After the hearing, Scott Charbo, DHS’ CIO, said 26 percent of the department’s major systems were certified five months ago, and now 62 percent are certified. That is significant progress, he said.

At a committee hearing in 2005, Steve Cooper, DHS’ former CIO who is now CIO at the Red Cross, said the department had procedures in place that would enable it to earn a respectable grade by 2006. “We are absolutely on track to succeed,” he said.

The House committee tallied the departments’ scores on the basis of its analysis of responses from agency CIOs and agency IGs to the annual IT security reviews of their systems and programs. The weighted scores are based on the Office of Management and Budget’s performance metrics. A perfect score is 100.

Davis said it is difficult to encourage lawmakers’ to take an interest in the FISMA report. At the March 16 hearing, only five of the 40 committee members attended.

report card

The Fed 100

Save the date for 28th annual Federal 100 Awards Gala.

Featured

  • computer network

    How Einstein changes the way government does business

    The Department of Commerce is revising its confidentiality agreement for statistical data survey respondents to reflect the fact that the Department of Homeland Security could see some of that data if it is captured by the Einstein system.

  • Defense Secretary Jim Mattis. Army photo by Monica King. Jan. 26, 2017.

    Mattis mulls consolidation in IT, cyber

    In a Feb. 17 memo, Defense Secretary Jim Mattis told senior leadership to establish teams to look for duplication across the armed services in business operations, including in IT and cybersecurity.

  • Image from Shutterstock.com

    DHS vague on rules for election aid, say states

    State election officials had more questions than answers after a Department of Homeland Security presentation on the designation of election systems as critical U.S. infrastructure.

  • Org Chart Stock Art - Shutterstock

    How the hiring freeze targets millennials

    The government desperately needs younger talent to replace an aging workforce, and experts say that a freeze on hiring doesn't help.

  • Shutterstock image: healthcare digital interface.

    VA moves ahead with homegrown scheduling IT

    The Department of Veterans Affairs will test an internally developed scheduling module at primary care sites nationwide to see if it's ready to service the entire agency.

  • Shutterstock images (honglouwawa & 0beron): Bitcoin image overlay replaced with a dollar sign on a hardware circuit.

    MGT Act poised for a comeback

    After missing in the last Congress, drafters of a bill to encourage cloud adoption are looking for a new plan.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group