Government gets 'D' on security

2003 security report card

Related Links

Federal agencies are still far behind where they need to be on information security, scoring a governmentwide grade of D for 2003 based on grades released today by Rep. Adam Putnam (R-Fla.).

But there are potential sources for improvement over the next year with some encouragement from Congress.

Putnam's score card follows three years of grading performed by former Rep. Stephen Horn (R-Calif.) and the staff of his subcommittee of the House Government Reform Committee. For the first time, the grades are based on the same criteria as the year before by using the self-assessments each agency submits to the Office of Management and Budget under the Federal Information Security Management Act (FISMA). Congress and agencies can track improvement or new weaknesses, said Putnam, chairman of the House Government Reform Committee's Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census.

Some agencies showed significant improvement, including the National Science Foundation, which moved to an A-minus from a D-minus, and the Labor Department, which went to a B from a C-plus. But 14 agencies received a grade below C-minus and eight failed. In three departments the inspector general did not submit a corresponding assessment, as required by law as an independent comparison.

One of the failing agencies was the Homeland Security Department. The failure is understandable because the organization is still coming together, Putnam said. "We expect significant improvement from [DHS] next year," he said. "They should be the leaders."

OMB's report on agency assessments is due March 1. The subcommittee will hold a hearing at that point to, among other things, examine differences between the OMB evaluation and the grades. The two viewpoints differed greatly in the past, and it will be important to explain discrepancies, Putnam said.

Over the coming months, the subcommittee will meet with chief information officers from every agency to get detailed remediation plans. The goal is to provide oversight and get failing agencies to learn from those that scored well or made significant improvements, Putnam said.

The biggest area of concern is that only five of the 24 agencies reviewed have completed inventories of critical information technology assets, a listing required for the last four years by FISMA and its predecessor, the Government Information Security Reform Act of 2000.

"That is a clear part of the law, and it is disturbing that 19 of the agencies are still out of line," Putnam said. "I don't underestimate the challenge, but the fact of the matter is they need to do it....Some folks have proved it can be done, and not just small agencies."

Rep. Tom Davis (R-Va.), chairman of the House Government Reform Committee, and Sen. Susan Collins (R-Maine), chairwoman of the Senate Governmental Affairs Committee, expressed their concerns. Collins said the low grades were unacceptable for agencies that oversee many portions of the nation's critical infrastructure.

"While we're making progress, it's important to note that we're still not at a point where information security is being taken seriously by every agency and department," said Davis, coauthor of FISMA. "Clearly, our goal of making computer security a constant management focus has not been met."

The subcommittee staff will work with both committees to approach the appropriations committees and make sure that security is taken into consideration and agencies receive the support they need, officials said. Although there is no evidence to show that money is a problem, what appropriators emphasize can affect an agency management's choices, said Bob Dix, Putnam's chief of staff.

Nuclear Regulatory CommissionAC
National Science FoundationA-D-
Social Security AdministrationB+B-
Labor DepartmentBC+
Education DepartmentC+D
Veterans Affairs Department* CF
Environmental Protection AgencyCD-
Commerce DepartmentC-D+
Small Business AdministrationC-F
Agency for International DevelopmentC-F
Transportation DepartmentD+F
Defense Department*DF
General Services AdministrationDD
Treasury Department*DF
Office of Personnel ManagementD-F
Energy DepartmentFF
Health and Human Services DepartmentFD-
Interior DepartmentFF
Agriculture DepartmentFF
Housing and Urban Development Dept.FF
State DepartmentFF
Homeland Security DepartmentF--
Governmentwide averageDF
* — No independent evaluation from the inspector general.
Source: House Government Reform Committee's Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census


  • Defense
    Ryan D. McCarthy being sworn in as Army Secretary Oct. 10, 2019. (Photo credit: Sgt. Dana Clarke/U.S. Army)

    Army wants to spend nearly $1B on cloud, data by 2025

    Army Secretary Ryan McCarthy said lack of funding or a potential delay in the JEDI cloud bid "strikes to the heart of our concern."

  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.