Poor grades can mask progress in complex IT environments, such as DHS

The Homeland Security Department has received an F on the last two computer security report cards issued by the House Government Reform Committee, prompting chairman Tom Davis (R-Va.) to warn that “DHS needs to get its house in order.”Outgoing CIO Steven I. Cooper gave the committee a frank assessment of the department’s cybersecurity road map for the coming year.“I’m hoping we’ll get to a D for 2005,” he said.It’s not that the department is not making progress, Cooper said. Some 2,500 IT systems have been certified and accredited, and a tangle of legacy systems are being consolidated and reorganized.But the scale used by the committee to grade compliance with the Federal Information Security Management Act masks much of that progress, Cooper said.“We have inherited a huge amount from our legacy environment,” he said. “We have more than 3,600 systems.”That means DHS lost 10 points because only 68 percent of systems had gone through C&A, even though they include many of the department’s most critical systems.The grading scale also includes 20 possible points for establishing detailed security configurations for a lengthy list of specific software platforms.“We have everything on the list,” Cooper said. Because the department plans to retire many of those platforms in its consolidation, it is focusing on configuration management for only those systems it plans to keep. For that, Cooper said, he expects to lose many of those 20 possible points.These losses and high thresholds in other areas make it unlikely DHS will rise above the 66 points needed to achieve a D for next year. Cooper said the department’s performance would make more visible improvement in 2006 as it completes the C&A process and meets other thresholds.