By Sharon Gaudin
April 12, 2007
Eight government agencies, including the Department of Defense, the
Treasury, and the Nuclear Regulatory Agency, got failing grades Thursday
on their annual computer security report card.
Overall, for 2006 the government got a C- grade , which actually is
up slightly from the last three years when it received a grade of D+,
D+, and D. A third of the agencies received an F, while the same number
received between an A- and an A+.
Rep. Tom Davis, R-Va., ranking member of the House Government Oversight
and Reform Committee, presented the report card for the performance of
the 24 agencies covered by the Federal Information Security Management
"This grade indicates slow but steady improvement from past years,"
Davis said in a written statement. "Obviously, challenges remain. But
there are some excellent signs of progress in this year's report, and
The grades are derived from annual reports the agencies produce to
comply with the management act, which was passed in 2002. Agencies are
rated on annual tests of information security, whether they certify and
accredit their systems as secure, how well they manage the configuration
of their computers, how they detect and react to security breaches,
their training programs, and the accuracy of their inventories.
The departments of Justice and Housing and Urban Development showed the
most improvement. Justice went from a D in 2005 to an A- for 2006, while
HUD went from a D+ to an A+. The Department of Health and Human Services
also made great gains, going from an F to a B last year.
On the other side of the balance sheet, though, NASA dropped from a B-
in 2005 to a D- in 2006. The Department of Education also slipped from a
C- to an F.
The Department of Homeland Security, which is tasked with protecting the
United States from terrorist attacks, got a D for its computer security
efforts. That's up from 2005, though, when the department got a failing
grade. The State Department, along with the departments of Defense,
Education, and Treasury, also failed.
The Department of Veterans Affairs, which has been plagued with computer
and data losses, didn't make its report available.
"It's disturbing that some of the agencies with the most sensitive
information continue to score poorly on this," said Rep. Mike Turner,
R-Ohio, in a written statement. "The Department of Defense, the
Department of State and the Nuclear Regulatory Commission need to
Alan Paller, director of research for the SANS Institute, said in a
statement that this scorecard process is a positive effort that could
lead to meaningful change.
"By using the congressional grading process and thoughtful leadership to
place high priority on the most critical security initiatives, Rep.
Davis is helping agencies focus on stopping the increasingly
sophisticated attackers," he said. "It could have a profound effect if
changes in congressional focus and grading provide the necessary
incentive to persuade agencies to implement new secure configurations
faster and more broadly."
Subscribe to InfoSec News