Nuke agency shines bright in security

2003 Federal Computer Security Report Card

Related Links

Managing an agency's information security is an ongoing struggle, and it is virtually impossible to reach a completely secure state. But two federal agencies have found a way to earn better grades: If you teach them, they will lock systems down.

The Transportation Department and the Nuclear Regulatory Commission took two of the biggest jumps to improve their grades on the annual Computer Security Report Card issued in December by Rep. Adam Putnam (R-Fla.), chairman of the House Government Reform Committee's Technology, Information Policy, Intergovernmental Relations and the Census Subcommittee.

The secret is simple: Teach everyone at the agency, from the board room to the computer room, the importance of security and practice the procedures to make it work.

NRC, in fact, received the only A with a score of 94.5 in 2003, which moved the agency up from a C on the 2002 report card.

DOT had nowhere to go but up and still has a long way to go. In 2002, DOT received one of 13 Fs when it scored a 28. But this year's grade improved to 69, which is a D-plus.

DOT's grade is still lagging, but Rebecca Leng, DOT's deputy assistant inspector general for information technology and computer security, said the department deserves kudos for the jump because "we made them work very hard."

Agency inspector generals serve an important role under the Federal Information Security Management Act of 2002 as independent reviewers. Security management improves considerably when the inspector general's office works closely with the chief information officer's staff to make improvements, Leng said.

"We have to make sure management understands that we still have a lot of unfinished make sure that we don't slip on the security issue," she said.

NRC leaders also were critical in improving the agency's grade, according to CIO Ellis Merschoff.

"It's a pleasure to be a CIO at an agency that recognizes the importance of computer security and is willing to provide the support and funds to carry it out," he said.

But there were specific actions that also helped NRC. The agency instituted a four-level review structure for its systems and programs, said Charlotte Turner, acting senior information security officer. The checklist ensures that critical issues, including security concerns, are addressed and fulfilled four levels before gaining final approval.

The review structure starts with a branch manager-level focus group, moves up to a division director-level council, then to an office director-level senior advisory council and finally to the executive director-level committee.

An important goal is to drum accountability into the business staff that has direct responsibility for overseeing systems, said Louis Numkin, one of the agency's three full-time security officers.

"The owner actually runs the ship; we're there to guide them," he said.

NRC has instituted a security training and awareness program that other agencies are copying, including the U.S. Mint and the Centers for Medicare and Medicaid Services.

The program focuses on the CyberTyger character created eight years ago, which appears on everything from calendars to first-aid items distributed at NRC. The character symbolizes information security. Numkin said NRC conducts regular events to make sure that everyone working at the agency, not just the IT staff, understands the importance of security.

Both organizations use a standardized certification and accreditation process, said Lisa Schlosser, DOT's associate CIO for IT program management.

"Instead of trying to piecemeal [certification and accreditation], we brought it to the departmental level with a department-level team," she said. "One team, one methodology, standardized templates."


  • Telecommunications
    Stock photo ID: 658810513 By asharkyu

    GSA extends EIS deadline to 2023

    Agencies are getting up to three more years on existing telecom contracts before having to shift to the $50 billion Enterprise Infrastructure Solutions vehicle.

  • Workforce
    Shutterstock image ID: 569172169 By Zenzen

    OMB looks to retrain feds to fill cyber needs

    The federal government is taking steps to fill high-demand, skills-gap positions in tech by retraining employees already working within agencies without a cyber or IT background.

  • Acquisition
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA to consolidate multiple award schedules

    The General Services Administration plans to consolidate dozens of its buying schedules across product areas including IT and services to reduce duplication.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.