Agencies get failing grades on cybersecurity

Federal efforts to secure critical computer systems and sensitive information are improving, but more than half of all agencies are still doing very poorly at the task, lawmakers said Tuesday.

Overall, the federal government received a grade of D for cybersecurity, up from a grade of F a year earlier, according to the 2003 Federal Computer Security Scorecard released Tuesday. While most agencies and departments showed improvements in computer security and monitoring over previous years, more than half still received a grade of D or F.

"Who in the world would want to carry that home to their parents?" asked Rep. Adam Putnam, R-Fla., chairman of the House Government Reform subcommittee that compiled the scorecard.

The scorecard is based on information reported by each agency and federal inspectors general to Congress and the Office of Management and Budget. Eight agencies received a grade of F. Nineteen failed to complete reliable inventories of their critical information technology assets. Additionally, the inspectors general for the departments of Veterans Affairs, Treasury and Defense failed to submit security reports as required by the 2002 Federal Information Security Management Act.

"For too long we have allowed information security to take a back seat to overall preparedness in this nation," Putnam said.

The Nuclear Regulatory Commission and the National Science Foundation made the greatest strides in protecting their computer systems during the last year, receiving grades of A and A- respectively for their efforts. The Social Security Administration and Labor Department also fared well, receiving grades of B+ and B respectively.

The Defense Department received a D and the departments of Energy and Homeland Security received Fs-a notable concern given that those departments handle sensitive security information. Several of the agencies that merged into Homeland Security had received failing grades on scorecards in previous years.

"We expect significant improvement from Homeland Security next year," Putnam said. "They should be leaders in improving their computer networks."

The departments of Agriculture, Interior and Justice all have received failing grades since the subcommittee began issuing the scorecards.

Sen. Susan Collins, R-Maine, who chairs the Senate Governmental Affairs Committee, called the failing grades "unacceptable" and urged agencies to take immediate action to improve cybersecurity.

"The administration has reason to believe that cyberattacks could be part of terrorists' game plans," she said. "We cannot afford to be caught off guard."

Agencies with good grades had common characteristics. They completed inventories of their critical information technology assets; identified critical infrastructure and systems; implemented strong incident reporting procedures; had tight controls over contractors; and developed strong plans and milestones for finding and eliminating security weaknesses.

Putnam said it is "alarming" that 19 agencies have not completed reliable inventories of their technology assets. He said the subcommittee will meet with chief information officers at each agency in the coming weeks to learn how they are handling cybersecurity and to develop plans and milestones for improving grades in agencies that are failing. Additionally, the subcommittee will meet with House appropriators to develop "appropriate responses" to security problems, Putnam said. Under the 2002 E-Government Act, funding can be withheld from federal agencies that do not comply with security guidelines.

Putnam added that the Corporate Information Security Working Group he founded will issue a report in late winter or early spring on the roles and responsibilities of chief information officers, while OMB will issue its own set of cybersecurity grades for the federal government in March. The subcommittee plans to hold hearings on cybersecurity in the spring.