Cybersecurity rating rises--barely

Despite governmentwide improvement in securing critical computer systems, most agencies continue to do a poor job, lawmakers said Wednesday.

Overall, the federal government received a D+ for cybersecurity, up from a D in 2003, according to the 2004 Federal Computer Security Scorecard released Wednesday. While some agencies and departments showed dramatic improvements in computer security over previous years, more than half of those graded saw their scores drop.

Rep. Tom Davis, R-Va., chairman of the House Government Reform Committee, which compiled the score card, said he views the report as progress, but significant areas need improvement.

"We're moving the ball down the field," Davis said. "We haven't scored a touchdown, but we're moving the ball."

Davis said the areas needing improvement include annual contractor systems reviews, contingency plan testing, incident reporting, and specialized training for workers with significant security responsibilities.

The score card is based on information reported by each agency and federal inspectors general to Congress and the Office of Management and Budget. Seven agencies--Agriculture, Commerce, Energy, Health and Human Services, Housing and Urban Development, Homeland Security and Veterans Affairs--received F grades; that is one less than in 2003.

"Several agencies continue to receive failing grades, and that's unacceptable," said Davis. "The committee will continue to explore the reasons these agencies continue to underperform."

The U.S. Agency for International Development received the highest grade, an A+, up from a C- in 2003, but the agency's inspector general failed to submit an independent evaluation of its security management program as required by the 2002 Federal Information Security Management Act. The inspectors general for the Treasury, Defense and Veterans Affairs departments did not provide independent evaluations of their agencies' FISMA reports for fiscal 2003. Their scores are based on self-reported numbers.

Davis praised the Transportation Department for receiving an A- and said it had achieved a remarkable turnaround from last year's D+. He said other agencies--such as State (D+), Interior (C+) and Justice (B-)--also made tremendous security improvements from last year.

The Defense Department's D did not change from last year, and Energy and Homeland Security's grades dropped, which is a significant concern because of the sensitive information those departments handle.

"Given the interconnectivity of systems across cyberspace, all it takes is one weak link to break the chain," Davis said. "The vulnerabilities of our systems are significant, and the potential damage that can be done is almost unspeakable."

Davis also announced the formation of the CISO Exchange, a public-private initiative focused on improving the government's cybersecurity through the agencies' chief information security officers. Davis and the CIO Council will co-chair the CISO Exchange. Private sector partners have not been specified yet.

A study released Wednesday from the Telos Corp. examining CISOs' response to the computer security grading process showed that 60 percent believe the report card had no impact on agencies' budgets and questioned the report card's effect on the urgency for better computer security.

CISOs believe that enforceable IT security policies reflecting FISMA compliance are a major reason that scores improved, according to the report. Increased resources for certification, an emphasis on cybersecurity within the workforce, and a streamlined certification process, were other reasons scores increased, the report found.

Seventy percent of CISOs said the Office of Management and Budget should clarify FISMA guidelines, and 53 percent said they should provide more guidance on the agencies' security control tests.