Agencies' cybersecurity grades rise slightly

The government’s overall information technology security grade rose only slightly according to the latest House Oversight and Government Reform Committee’s score card, released today. But score cards ignore the fact that the overall cyber posture of agencies is so much better than it was a year ago, let alone four years ago, when most departments received failing grades, said an administration official and a key member of Congress. Rep. Tom Davis (R-Va.), ranking member of the committee, said agencies continue to make slow and steady progress across the board to reach a total score of C-, or 72.9 out of 100. Eight agencies received grades of A and eight others received failing grades for their cybersecurity position in 2006, the committee said. Four agencies earned a B and two earned a C. The Veterans Affairs Department did not receive a grade because it did not submit a Federal Information Security Management Act report last year, the committee said. “For those agencies that received an F, they are good, solid F’s,” said Karen Evans, the Office of Management and Budget’s administrator for e-government and information technology. “When we started, we didn’t know where to even start. Now we are doing a better job knowing what we don’t know. I take this overall grade as my own. I would never accept a C for my kids, and I will not accept it as my own grade.” Evans and Davis both attributed the improved score to more agencies completing their systems inventory. OMB reported in its March FISMA report to Congress that 20 agency inventories were at least 80 percent complete, and a majority of those reported that their inventories were 96 percent to 100 percent finished. OMB said this is a decrease of one agency from the number that reported at least 80 percent complete in 2005. “Some agencies are still demonstrating large fluctuations in the number of systems in their inventories, both upwards and downwards,” the OMB report states. But Davis pointed to the Homeland Security Department as one example of an agency completing its inventory and seeing its grade rise. DHS received a D after earning an F the past three years. Still, Davis expressed concern about the grades for DHS and the Defense, State and Treasury departments. DOD, State and Treasury earned Fs. “DOD and DHS are not well-managed agencies,” Davis said. “DHS is dealing with culture issues and DOD is just poorly managed. DOD has a lot of fiefdoms and territory battles.” The Department of Housing and Urban Development is another agency that completed its inventory and saw improvement. HUD earned an A, up from a D last year. Lisa Schlosser, HUD’s chief information officer, credited a heightened security awareness program led by the agency’s chief information security officer, Pat Howard; executive support; and the department's commitment to do more than just comply with FISMA. “Our challenge is to capitalize on technology and improve our security program to address continued threats,” she said. “We got our inspector general to agree that we had a good inventory and process.” To continue to push agencies to improve, Davis said he would offer departments bonus points in next year’s score card if they move to a standard Windows desktop configuration this year. He also will look at other incentives. Additionally, Davis plans to reintroduce his data breach bill, which passed the House last year but died in the Senate. “We will work with the majority staff to take FISMA to the next level,” he said. “We will refine the legislation and try to get it through again.” Davis said he has not had any conversations with Rep. Henry Waxman’s (D-Calif.) staff about the bill but expects to soon. Evans said the administration supported Davis’ bill last year, but he hasn’t vetted the new bill with OMB yet. “The trend is a good one,” Davis said. “We see progress across the board so now agencies have to fine-tune what they are doing and keep constant vigilance.” Evans said the improvement is an indication of agencies having a good security foundation. “The next goal is to get agencies over the hump and make security second nature,” she said. “They must think about the risk certain activities put on the network and department. Management and staff must evaluate risk every day.”