Anti-terrorism agencies get lowest grades

Davis chastises federal agencies for shortsighted attitudes toward FISMA

Weaknesses and inconsistencies in agencies’ security management practices have left dangerous holes in critical infrastructures, according to the latest assessment of federal agencies’ compliance with the Federal Information Security Management Act. In light of continual low scores on information security, some security experts and congressional leaders say federal agencies must take FISMA requirements more seriously.

Nearly all federal agencies operate automated systems and electronic data, congressional auditors said at a recent hearing on FISMA grades. Without those assets, agencies would likely be unable to gauge resources and pursue their missions. People could steal federal payments, launch attacks on connected computer systems or abuse sensitive information about citizens. “Hence, the degree of risk caused by security weaknesses is high,” Government Accountability Office auditors wrote in their new report on FISMA compliance.

Federal agencies average a D-plus on the 2005 computer security report cards from the House Government Reform Committee, the same as the 2004 average grade.

Notably, agencies whose missions include homeland security received failing grades. “For most people, this is an abstract, inside-the-Beltway issue,” said Rep. Tom Davis (R-Va.), the committee’s chairman, at a March 16 hearing held to announce the 2005 grades. “FISMA is still viewed by some federal agencies as a paperwork exercise, but these are shortsighted observations.”

Davis singled out agencies with failing grades. “If FISMA was the No Child Left Behind Act, a lot of critical agencies would be on the list of ‘low performers,’ ” he said. “The scores for the departments of Defense, Homeland Security, Justice, State — the agencies on the front lines in the war on terrorism — remained unacceptably low or dropped precipitously.”

Agencies made improvements in developing configuration management plans, training security employees, developing and maintaining an inventory, certifying and accrediting systems, and testing, Davis said. Nevertheless, the committee still has concerns, he said.

GAO auditors found that none of the 24 major agencies that receive FISMA grades have agencywide information security programs, which FISMA requires. Agencies do not adequately assess risks or develop risk-based policies or procedures for securing information. Many agencies still do not have complete inventories of their major information systems, GAO reported.

Chief information officers at two agencies that demonstrated consistent improvements in information security — the Social Security Administration and the Labor Department — testified before the Government Reform Committee about best practices.

SSA has always emphasized security, and much of its success is because of senior managers’ strong backing of FISMA requirements, said Thomas Hughes, SSA’s CIO. The agency received an A-plus for 2005, up from last year’s B.

Thomas Wiesner, Labor’s deputy CIO, said strong support from all levels of management helps the agency strengthen security. “Security is integrated into every IT project,” he added.

Lawmakers focused on the low-scoring agencies, too. DHS remained level with its 2004 grade of F. Defense slid from a D to an F, Justice dropped from a B-minus to a D, and State fell from a D-plus to an F.

Gregory Wilshusen, director of information security issues at GAO, said securing large, diverse departments is tough, especially when agencies merge, as in the case of DHS.

After the hearing, Scott Charbo, DHS’ CIO, said 26 percent of the department’s major systems were certified five months ago, and now 62 percent are certified. That is significant progress, he said.

At a committee hearing in 2005, Steve Cooper, DHS’ former CIO who is now CIO at the Red Cross, said the department had procedures in place that would enable it to earn a respectable grade by 2006. “We are absolutely on track to succeed,” he said.

The House committee tallied the departments’ scores on the basis of its analysis of responses from agency CIOs and agency IGs to the annual IT security reviews of their systems and programs. The weighted scores are based on the Office of Management and Budget’s performance metrics. A perfect score is 100.

Davis said it is difficult to encourage lawmakers’ to take an interest in the FISMA report. At the March 16 hearing, only five of the 40 committee members attended.

report card

FCW in Print

In the latest issue: Looking back on three decades of big stories in federal IT.


  • Shutterstock image: looking for code.

    How DOD embraced bug bounties -- and how your agency can, too

    Hack the Pentagon proved to Defense Department officials that outside hackers can be assets, not adversaries.

  • Shutterstock image: cyber defense.

    Why PPD-41 is evolutionary, not revolutionary

    Government cybersecurity officials say the presidential policy directive codifies cyber incident response protocols but doesn't radically change what's been in practice in recent years.

  • Anne Rung -- Commerce Department Photo

    Exit interview with Anne Rung

    The government's departing top acquisition official said she leaves behind a solid foundation on which to build more effective and efficient federal IT.

  • Charles Phalen

    Administration appoints first head of NBIB

    The National Background Investigations Bureau announced the appointment of its first director as the agency prepares to take over processing government background checks.

  • Sen. James Lankford (R-Okla.)

    Senator: Rigid hiring process pushes millennials from federal work

    Sen. James Lankford (R-Okla.) said agencies are missing out on younger workers because of the government's rigidity, particularly its protracted hiring process.

  • FCW @ 30 GPS

    FCW @ 30

    Since 1987, FCW has covered it all -- the major contracts, the disruptive technologies, the picayune scandals and the many, many people who make federal IT function. Here's a look back at six of the most significant stories.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group