A Federal Case: Agencies Fail IT Security Test

Agencies responsible for keeping the nation safe receive some of the lowest grades from the Federal Information Security Management Act's 2005 report card.

If consistency were the goal, the federal government would score high in complying with computer security requirements—year after year Washington performs consistently poorly.

On the 2005 report card issued March 16, the government earned a D+, with agencies responsible for keeping the nation safe receiving some of the lowest grades: The Department of Homeland Security earned an F, the Department of Defense an F, and the Department of Justice a D.

"The agencies on the front line in the war on terror remained unacceptably low or dropped precipitously," said Rep. Tom Davis, R-Va., chairman of the House Committee on Government Reform, which reviewed the grades sent to Congress.

The ratings are meant to show how well agencies meet the mandates of the Federal Information Security Management Act, which sets forth security standards as well as operational and reporting requirements.

Eight agencies failed the FISMA test in 2005, including the departments of Agriculture, Energy, State, Transportation and Veterans Affairs, but committee members took the information officers of DOD and DHS, in particular, to task for failing to show significant improvements over the last year.

"Whats happening with the two most strategic and sensitive agencies? Is it incompetence? Is it cronyism?" said Rep. Diane Watson, D-Calif.

"I dont feel comfortable that my homeland is secure. What are you securing?"

Areas of greatest concern to policymakers include inconsistent incident reporting, inconsistent contingency plan testing, lack of specialized security training and lack of configuration management policies, Davis said.

Despite the governments overall poor rating, some agencies showed improvement.

Five agencies, including the Department of Labor, Environmental Protection Agency and Social Security Administration, received an A+.

The National Science Foundation earned an A, up from a C+, and the General Services Administration earned an A-, up from a C+.

Tom Hughes, chief information officer at SSA, said that his agencys success results from an agencywide approach to data security and accountability among the top executives.

/zimages/2/28571.gifClick here to read more about the governments claims of progress in its security efforts.

The larger agencies face more complicated security challenges because they are often composed of semi-autonomous bureaus with separate missions, funding and technologies, and vulnerabilities in one bureau can affect other parts of the department, said Gregory Wilshusen, director of Information Security Issues at the Government Accountability Office.

"Its going to require that agency top management and the management of the different bureaus be held accountable," Wilshusen said.

Industry observers widely agree that only greater accountability and commitment at the top will lead to improvement in the future.

"In the commercial world, people get fined or go to jail when they dont comply. The Feds dont seem to have the same motivation," said Chris Farrow, director for the Center for Policy and Compliance at Configuresoft, adding that many agencies are not lacking in funding or tools.

"Homeland Defense has the largest budget out there. They got an F last year, and this year they failed again."

Theres some concern that many of the agencies are focused on "studying for the test" rather than on long-term, sustainable security.

"The question is, what does a B really mean? Does it mean that someone just knows how to take the test now?" said Richard Tracy, CTO of Telos, which sells automated certification and accreditation tools.

"Its not just about checking the box."

In the realm of certification and accreditation of networking systems, some agencies have invested heavily in labor to improve their grades, said Tracy.

At any given agency there are hundreds of systems affected by FISMAs C&A requirements, Tracy said.

Detailed information about IT assets must be collected, evaluated for a variety of security requirements and assessed for risks, and automated tools could reduce costs by as much as 70 percent, he said.

"The next question will be how do we sustain this compliance? The answer will be automation," he said. "It has to be. Theres no other way around it."

/zimages/2/28571.gifCheck out eWEEK.coms for the latest news, views and analysis of technologys impact on government and politics.