Nuke agency shines bright in security

2003 Federal Computer Security Report Card

Related Links

Managing an agency's information security is an ongoing struggle, and it is virtually impossible to reach a completely secure state. But two federal agencies have found a way to earn better grades: If you teach them, they will lock systems down.

The Transportation Department and the Nuclear Regulatory Commission took two of the biggest jumps to improve their grades on the annual Computer Security Report Card issued in December by Rep. Adam Putnam (R-Fla.), chairman of the House Government Reform Committee's Technology, Information Policy, Intergovernmental Relations and the Census Subcommittee.

The secret is simple: Teach everyone at the agency, from the board room to the computer room, the importance of security and practice the procedures to make it work.

NRC, in fact, received the only A with a score of 94.5 in 2003, which moved the agency up from a C on the 2002 report card.

DOT had nowhere to go but up and still has a long way to go. In 2002, DOT received one of 13 Fs when it scored a 28. But this year's grade improved to 69, which is a D-plus.

DOT's grade is still lagging, but Rebecca Leng, DOT's deputy assistant inspector general for information technology and computer security, said the department deserves kudos for the jump because "we made them work very hard."

Agency inspector generals serve an important role under the Federal Information Security Management Act of 2002 as independent reviewers. Security management improves considerably when the inspector general's office works closely with the chief information officer's staff to make improvements, Leng said.

"We have to make sure management understands that we still have a lot of unfinished business...to make sure that we don't slip on the security issue," she said.

NRC leaders also were critical in improving the agency's grade, according to CIO Ellis Merschoff.

"It's a pleasure to be a CIO at an agency that recognizes the importance of computer security and is willing to provide the support and funds to carry it out," he said.

But there were specific actions that also helped NRC. The agency instituted a four-level review structure for its systems and programs, said Charlotte Turner, acting senior information security officer. The checklist ensures that critical issues, including security concerns, are addressed and fulfilled four levels before gaining final approval.

The review structure starts with a branch manager-level focus group, moves up to a division director-level council, then to an office director-level senior advisory council and finally to the executive director-level committee.

An important goal is to drum accountability into the business staff that has direct responsibility for overseeing systems, said Louis Numkin, one of the agency's three full-time security officers.

"The owner actually runs the ship; we're there to guide them," he said.

NRC has instituted a security training and awareness program that other agencies are copying, including the U.S. Mint and the Centers for Medicare and Medicaid Services.

The program focuses on the CyberTyger character created eight years ago, which appears on everything from calendars to first-aid items distributed at NRC. The character symbolizes information security. Numkin said NRC conducts regular events to make sure that everyone working at the agency, not just the IT staff, understands the importance of security.

Both organizations use a standardized certification and accreditation process, said Lisa Schlosser, DOT's associate CIO for IT program management.

"Instead of trying to piecemeal [certification and accreditation], we brought it to the departmental level with a department-level team," she said. "One team, one methodology, standardized templates."

Featured

  • Cybersecurity

    DHS floats 'collective defense' model for cybersecurity

    Homeland Security Secretary Kirstjen Nielsen wants her department to have a more direct role in defending the private sector and critical infrastructure entities from cyberthreats.

  • Defense
    Defense Secretary James Mattis testifies at an April 12 hearing of the House Armed Services Committee.

    Mattis: Cloud deal not tailored for Amazon

    On Capitol Hill, Defense Secretary Jim Mattis sought to quell "rumors" that the Pentagon's planned single-award cloud acquisition was designed with Amazon Web Services in mind.

  • Census
    shutterstock image

    2020 Census to include citizenship question

    The Department of Commerce is breaking with recent practice and restoring a question about respondent citizenship last used in 1950, despite being urged not to by former Census directors and outside experts.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.