By Brian Krebs
washingtonpost.com Staff Writer
March 15, 2006
Most federal agencies that play key roles in the war on terror are
doing a dismal job of protecting their computers and information
networks from hackers and viruses, according to portions of a report
to be released by a key congressional oversight committee Thursday.
The Department of Homeland Security, which is charged with setting the
government's cyber security agenda, earned a grade of F for the third
straight year from the House Government Reform Committee. Other
agencies whose failing marks went unchanged from 2004 include the
departments of Agriculture, Defense, Energy, State, Health and Human
Services, Transportation, and Veterans Affairs.
The House Government Reform Committee is expected to award the federal
government an overall grade of D-plus for computer security in 2005, a
score that remains virtually unchanged from 2004.
Several agencies saw a considerable drop in their scores. The
Department of Justice went from a B-minus in 2004 to a "D" in 2005,
while Interior earned failing marks after getting a C-plus in 2004.
The scores are "unacceptably low," committee Chairman Tom Davis
(R-Va.) said in a statement. "DHS must have its house in order and
should become a security leader among agencies. What's holding them
The annual report bases the grades on the agencies' internal
assessments and information they are required to submit annually to
the White House Office of Management and Budget. The letter grades
depended on how well agencies met the requirements set out in the
Federal Information Security Management Act (FISMA).
FISMA requires agencies to meet a wide variety of computer security
standards, ranging from operational details -- such as ensuring proper
password management by workers and restricting employee access to
sensitive networks and documents -- to creating procedures for
reporting security problems.
As online attacks against consumers and businesses have skyrocketed,
so have assaults against government information systems. Alan Paller,
director of research for the SANS Institute, a group in Bethesda, Md.,
that trains and certifies computer security professionals, said a
number of federal computer systems have been badly penetrated by
hackers and viruses over the past several years, in part because many
agencies do not adequately monitor their systems or apply software
security updates in a timely manner.
But Paller argues that the yearly FISMA grades force agencies to apply
scarce funding and employee time toward the wrong priorities.
"It turns out that the vast bulk of the federal information security
money is spent on documenting these systems, not on securing or
testing them against attacks," Paller said. "Most [agencies] are
spending so much on the paperwork exercises that they don't have a lot
of money left over to fix the problems they've identified."
Davis said he is interested in examining ways to ensure that FISMA
compliance does not become a paperwork exercise where agencies comply
with the letter, but not the spirit, of the law.
"We don't want them filling out forms to simply fill out forms, but in
my experience, when it comes to information security, it is still
difficult to get people -- even members of Congress -- engaged in the
issue," Davis said. "An attack could originate anywhere at any time,
and FISMA is the best tool we have to ensure that agencies are
proactively securing themselves."
While a number of agencies performed worse last year than in 2004,
many showed marked improvement in meeting federal computer security
The National Science Foundation and the General Services
Administration each saw their scores rise from a C-plus in 2004 to an
A last year. The Environmental Protection Agency and the Department of
Labor earned A-plus grades in 2005, up from B and B-minus
=A9 2006 Washingtonpost.Newsweek Interactive
InfoSec News v2.0 - Coming Soon!