http://www.informationweek.com/news/showArticle.jhtml?articleID=199000653 

By Sharon Gaudin
InformationWeek
April 12, 2007

Eight government agencies, including the Department of Defense, the 
Treasury, and the Nuclear Regulatory Agency, got failing grades Thursday 
on their annual computer security report card.

Overall, for 2006 the government got a C- grade [1], which actually is 
up slightly from the last three years when it received a grade of D+, 
D+, and D. A third of the agencies received an F, while the same number 
received between an A- and an A+.

Rep. Tom Davis, R-Va., ranking member of the House Government Oversight 
and Reform Committee, presented the report card for the performance of 
the 24 agencies covered by the Federal Information Security Management 
Act.

"This grade indicates slow but steady improvement from past years," 
Davis said in a written statement. "Obviously, challenges remain. But 
there are some excellent signs of progress in this year's report, and 
that's encouraging."

The grades are derived from annual reports the agencies produce to 
comply with the management act, which was passed in 2002. Agencies are 
rated on annual tests of information security, whether they certify and 
accredit their systems as secure, how well they manage the configuration 
of their computers, how they detect and react to security breaches, 
their training programs, and the accuracy of their inventories.

The departments of Justice and Housing and Urban Development showed the 
most improvement. Justice went from a D in 2005 to an A- for 2006, while 
HUD went from a D+ to an A+. The Department of Health and Human Services 
also made great gains, going from an F to a B last year.

On the other side of the balance sheet, though, NASA dropped from a B- 
in 2005 to a D- in 2006. The Department of Education also slipped from a 
C- to an F.

The Department of Homeland Security, which is tasked with protecting the 
United States from terrorist attacks, got a D for its computer security 
efforts. That's up from 2005, though, when the department got a failing 
grade. The State Department, along with the departments of Defense, 
Education, and Treasury, also failed.

The Department of Veterans Affairs, which has been plagued with computer 
and data losses, didn't make its report available.

"It's disturbing that some of the agencies with the most sensitive 
information continue to score poorly on this," said Rep. Mike Turner, 
R-Ohio, in a written statement. "The Department of Defense, the 
Department of State and the Nuclear Regulatory Commission need to 
improve."

Alan Paller, director of research for the SANS Institute, said in a 
statement that this scorecard process is a positive effort that could 
lead to meaningful change.

"By using the congressional grading process and thoughtful leadership to 
place high priority on the most critical security initiatives, Rep. 
Davis is helping agencies focus on stopping the increasingly 
sophisticated attackers," he said. "It could have a profound effect if 
changes in congressional focus and grading provide the necessary 
incentive to persuade agencies to implement new secure configurations 
faster and more broadly." 

[1] http://republicans.oversight.house.gov/Media/PDFs/FY06FISMA.pdf 


__________________________
Subscribe to InfoSec News
http://www.infosecnews.org