Horn: Feds still fail security

The professor has given his final exam on computer security, and the results are miserable.

Overall, federal agencies earned a failing grade on Rep. Stephen Horn's latest report card on government security. The grades issued Nov. 19 were Horn's last. The California Republican, a former professor and university president, is retiring after a decade in Congress.

Of the 24 federal agencies Horn graded, 14 flunked.

The latest dismal evaluation was without argument from the government's information technology chief, Mark Forman.

"The more IT systems that agencies and inspectors general review, the more security weaknesses they are likely to find," Forman told the House Government Reform Committee's Government Efficiency, Financial Management and Intergovernmental Relations Subcommittee.

Forman, associate director of IT and e-government at the Office of Management and Budget, said his own analysis "reveals that while progress has been made, there remain significant weaknesses."

One problem is that "many agencies are not adequately prioritizing their IT investments." They ask for money to develop new systems but have largely failed to improve the security of those they already operate, he said.

Forman vowed to change that. OMB has warned agencies that they will not get funding for new computer projects until they make progress on improving the security of existing systems, he said.

"OMB will assist agencies in reprioritizing their resources through the budget process," he said.

At some agencies, the lack of progress on computer security can be attributed to the absence of a chief information officer, Horn said.

The Transportation Department, which received a failing grade on Horn's report card, has had a senior IT executive for only 18 months out of the past six years. Despite recruiting efforts, the agency has been unable to attract a suitable CIO candidate, said Kenneth Mead, DOT's inspector general.

The Social Security Administration, which scored highest, has both a CIO and a chief security officer (CSO) and, in a recent reorganization, elevated the rank of the CSO, said James Lockhart, deputy commissioner of SSA.

Poor security performance continues as agencies use the Internet more and increase their interconnections with computer systems. That combination "poses significant risks to the government's and our nation's computer systems," according to the General Accounting Office, which evaluated agency performance for Horn.

Security weaknesses in government systems could permit hackers to steal personal information, eavesdrop or interfere with telecommunications, power distribution, water supplies, public health services, law enforcement and national defense, said Robert Dacey, GAO's director of information security.

"Reports of attacks and disruptions are growing, and they are becoming more complex and harder to trace," Horn said.


  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

  • Comment
    Pilot Class. The author and Barbie Flowers are first row third and second from right, respectively.

    How VA is disrupting tech delivery

    A former Digital Service specialist at the Department of Veterans Affairs explains efforts to transition government from a legacy "project" approach to a more user-centered "product" method.

  • Cloud
    cloud migration

    DHS cloud push comes with complications

    A pressing data center closure schedule and an ensuing scramble to move applications means that some Homeland Security components might need more than one hop to get to the cloud.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.