Feds bring home a D+

Security is still a tough assignment

Federal Information Security Management Act 2004 Report to Congress

Related Links

The federal government got a D-plus on its annual security report card from Rep. Tom Davis (R-Va.) this month, even after federal agencies spent $4.2 billion in fiscal 2004 on securing their information systems.

That represents about 7 percent of the value of the federal government’s $59 billion information technology portfolio, according to a new report on security compliance that Office of Management and Budget officials submitted to Congress.

For the first time, agency inspectors general rated agency chief information officers on the quality and quantity of completed certification and accreditation procedures, which are primary measures of agencies’ information security. Among the 24 largest federal agencies, the IGs rated seven, including the Homeland Security and Defense departments, as having poor security procedures.

Speaking at a news conference on the role of IGs under the Federal Information Security Management Act (FISMA) of 2002, Davis said IGs need to standardize their evaluation processes to guarantee that comparisons among agencies are fair.

IGs were the focus of other criticism. Melissa Wojciak, staff director for the House Government Reform Committee, which Davis leads, said the U.S. Agency for International Development received an A on its security report card, but the agency’s IG did not independently review the information that the CIO submitted. “If IGs aren’t doing that,” she said, “they’re ignoring a statutory mandate.”

Wojciak said committee members have sent letters to three agency IGs. “The IGs are as much a part of this process as the CIOs, and if they are not working cooperatively and independently verifying this information, we certainly want to know about it, and we want to ask why.”

Davis said the federal government’s D-plus is not good enough, while announcing that he has created a new forum for federal and private-sector chief information security officers. The educational forum, named CISO Exchange, will hold quarterly meetings for corporate and federal officers to meet and share ideas for improving information systems security practices, as required by FISMA.

Davis named Wojciak and Vance Hitch, the Justice Department’s CIO, as the group’s leaders. “FISMA is about good management practices, and the CISO Exchange will help promote that,” Wojciak said.

The forum will receive no government funding. Stephen O’Keeffe, president of O’Keeffe and Co., a federal IT public relations and events company, will serve as its executive director.

Davis said federal agencies showed progress last year in some areas of compliance with FISMA. But he said they must still make significant improvements.

Federal agencies came up short on providing specialized training for employees who have significant responsibility for government information and information systems, despite spending more than $55 million on security training last year.

The FISMA report to Congress showed significant differences in security training costs across the government. Transportation Department officials, for example, reported spending an average of $7.94 per employee for such training. By contrast, Department of Housing and Urban Development officials said they spent an average of $122.93 per employee. The governmentwide average was $13.33 per employee.

Noting that not all report card news was bad, Davis said DOT, which has 485 systems, got an A-minus after receiving a

D-plus last year. Dan Matthews, DOT’s CIO, said hiring Titan to standardize the department’s security certification and accreditation procedures made the difference.


Security measures show improvement

Office of Management and Budget statistics on federal agencies’ compliance with the Federal Information Security Management Act of 2002 show significant improvement in fiscal 2004. But the positive numbers weren’t enough to raise the D-plus grade Congress gave the federal government on its security report card last month.

The chart below shows the percentage of systems that met certain criteria in fiscal 2003 and 2004:

Established effective security and privacy controls
Fiscal 2003:62%
Fiscal 2004:77%
Factored security into system life cycle costs
Fiscal 2003:77%
Fiscal 2004:85%
Tested security controls
Fiscal 2003:64%
Fiscal 2004:76%
Tested contingency plans
Fiscal 2003:48%
Fiscal 2004:57%

Source: Office of Management and Budget


  • Defense
    Soldiers from the Old Guard test the second iteration of the Integrated Visual Augmentation System (IVAS) capability set during an exercise at Fort Belvoir, VA in Fall 2019. Photo by Courtney Bacon

    IVAS and the future of defense acquisition

    The Army’s Integrated Visual Augmentation System has been in the works for years, but the potentially multibillion deal could mark a paradigm shift in how the Defense Department buys and leverages technology.

  • Cybersecurity
    Deputy Secretary of Homeland Security Alejandro Mayorkas  (U.S. Coast Guard photo by Petty Officer 3rd Class Lora Ratliff)

    Mayorkas announces cyber 'sprints' on ransomware, ICS, workforce

    The Homeland Security secretary announced a series of focused efforts to address issues around ransomware, critical infrastructure and the agency's workforce that will all be launched in the coming weeks.

Stay Connected