U.S. lawmakers are contemplating new enforcement tools and financial incentives to spur better security practices after a report card on federal information security showed government CIOs managed a barely passing D+ average.
The rating for 2004, released earlier this month, is a half-grade up from the previous years D. The notoriously low performance has called attention to substandard security measures taken to protect the governments networks and prompted lawmakers to demand improvements in Washington before making further demands on the private sector.
Seven agencies, including the departments of Energy, Commerce, Agriculture and Homeland Security, flunked the annual evaluation outright. The performance at the Department of Commerce was particularly disappointing, as the agency received the relatively commendable mark of C- one year ago. Of the 24 agencies evaluated, eight received lower grades this year than last.
"I think they take their eye off the ball," said Rep. Tom Davis, R-Va., chairman of the House Committee on Government Reform. "This demands constant attention. Every day they have to be thinking about this."
The Department of Transportation and the Agency for International Development were the star pupils this year, earning an A- and A+, respectively. Altogether, six agencies improved their scores during the grading period. The Department of Justice and the Department of the Interior won special commendation for their B- and C+ ratings, both great improvements over last years failing grades.
Improved security came about largely from devoting greater resources to the certification and accred- itation of IT systems and from establishing enforceable security policies, according to a survey conducted by Telos Corp., based in Ashburn, Va. The State Department, which earned a D+, up from last years F, has now certified all its IT systems, according to Bruce Morrison, department CIO.
"We will try harder next year," Morrison said.
The agencies budgets are not affected by the scores they receive for information security performance, leaving some to question the value of the assessment process. Davis said that the Federal Information Security Management Act, which requires the annual evaluation, may need to be amended to include enforcement provisions beyond the reporting requirements. In addition, a financial incentive for information security executives may be developed.
"I think over the long term there is going to be a link with funding," Davis said, adding that it would likely be an indirect link through bonuses.
The Federal CIO Council and Davis invited the private sector to join them in a new public/private information-sharing partnership. The forum, called the Chief Information Security Officer Exchange, or CISO, would allow companies to sponsor meetings between government and commercial information security officers. So far, no private sector companies have committed to the partnership, according to Davis staff.