Nuke agency shines bright in security

2003 Federal Computer Security Report Card

Related Links

Managing an agency's information security is an ongoing struggle, and it is virtually impossible to reach a completely secure state. But two federal agencies have found a way to earn better grades: If you teach them, they will lock systems down.

The Transportation Department and the Nuclear Regulatory Commission took two of the biggest jumps to improve their grades on the annual Computer Security Report Card issued in December by Rep. Adam Putnam (R-Fla.), chairman of the House Government Reform Committee's Technology, Information Policy, Intergovernmental Relations and the Census Subcommittee.

The secret is simple: Teach everyone at the agency, from the board room to the computer room, the importance of security and practice the procedures to make it work.

NRC, in fact, received the only A with a score of 94.5 in 2003, which moved the agency up from a C on the 2002 report card.

DOT had nowhere to go but up and still has a long way to go. In 2002, DOT received one of 13 Fs when it scored a 28. But this year's grade improved to 69, which is a D-plus.

DOT's grade is still lagging, but Rebecca Leng, DOT's deputy assistant inspector general for information technology and computer security, said the department deserves kudos for the jump because "we made them work very hard."

Agency inspector generals serve an important role under the Federal Information Security Management Act of 2002 as independent reviewers. Security management improves considerably when the inspector general's office works closely with the chief information officer's staff to make improvements, Leng said.

"We have to make sure management understands that we still have a lot of unfinished make sure that we don't slip on the security issue," she said.

NRC leaders also were critical in improving the agency's grade, according to CIO Ellis Merschoff.

"It's a pleasure to be a CIO at an agency that recognizes the importance of computer security and is willing to provide the support and funds to carry it out," he said.

But there were specific actions that also helped NRC. The agency instituted a four-level review structure for its systems and programs, said Charlotte Turner, acting senior information security officer. The checklist ensures that critical issues, including security concerns, are addressed and fulfilled four levels before gaining final approval.

The review structure starts with a branch manager-level focus group, moves up to a division director-level council, then to an office director-level senior advisory council and finally to the executive director-level committee.

An important goal is to drum accountability into the business staff that has direct responsibility for overseeing systems, said Louis Numkin, one of the agency's three full-time security officers.

"The owner actually runs the ship; we're there to guide them," he said.

NRC has instituted a security training and awareness program that other agencies are copying, including the U.S. Mint and the Centers for Medicare and Medicaid Services.

The program focuses on the CyberTyger character created eight years ago, which appears on everything from calendars to first-aid items distributed at NRC. The character symbolizes information security. Numkin said NRC conducts regular events to make sure that everyone working at the agency, not just the IT staff, understands the importance of security.

Both organizations use a standardized certification and accreditation process, said Lisa Schlosser, DOT's associate CIO for IT program management.

"Instead of trying to piecemeal [certification and accreditation], we brought it to the departmental level with a department-level team," she said. "One team, one methodology, standardized templates."


  • Defense
    Ryan D. McCarthy being sworn in as Army Secretary Oct. 10, 2019. (Photo credit: Sgt. Dana Clarke/U.S. Army)

    Army wants to spend nearly $1B on cloud, data by 2025

    Army Secretary Ryan McCarthy said lack of funding or a potential delay in the JEDI cloud bid "strikes to the heart of our concern."

  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.