Government Flunks IT Security

U.S. Protection agencies flounder on report card.

Key federal agencies are receiving low or failing grades on the security of their IT infrastructures, fueling criticism of the departments charged with keeping the nation safe.

In a report card issued March 16 by the U.S. House Committee on Government Reform, the government last year earned a D+. Both the Department of Homeland Security and the Department of Defense received an F, and the Department of Justice a D.

"The [security grades for the] agencies on the front line in the war on terror remained unacceptably low or dropped precipitously," said Rep. Tom Davis, R-Va., chairman of the House Committee on Government Reform, which reviewed the grades sent to Congress by the agencies.

The ratings show how well agencies meet the mandates of the Federal Information Security Management Act, which sets forth security standards, as well as operational and reporting requirements. Committee members took the information officers of the DOD and DHS, in particular, to task for failing to show significant improvements.

"Whats happening with the two most strategic and sensitive agencies?" asked Rep. Diane Watson, D-Calif. "I dont feel comfortable that my homeland is secure."

Areas of greatest concern to policy-makers include inconsistent incident reporting and contingency-plan testing, as well as a lack of both specialized security training and configuration management policies, Davis said.

Some agencies improved: The Department of Labor, Environmental Protection Agency and Social Security Administration received an A+. The National Science Foundation earned an A, up from a C+, and the General Services Administration earned an A-, up from a C+.

Larger agencies face more complicated security challenges because they are often composed of semiautonomous bureaus with separate missions, funding and technologies, and vulnerabilities in one bureau can affect other parts of the department, said Gregory Wilshusen, director of information security issues at the Government Accountability Office, in Washington.

Industry observers widely agree that only greater accountability and commitment at the top will lead to improvement in the future. "In the commercial world, people get fined or go to jail when they dont comply. The feds dont seem to have the same motivation," said Chris Farrow, director for the Center for Policy & Compliance at Configuresoft, in Colorado Springs, Colo. Farrow added that many agencies are not lacking in funding or tools. "[DHS] has the largest budget out there. They got an F last year, and this year they failed again," Farrow said.

Theres concern that many of the agencies are focused on "studying for the test" rather than on long-term, sustainable security. "The question is, What does a B really mean?" asked Richard Tracy, chief technology officer of Telos, in Ashburn, Va. "Does it mean that someone just knows how to take the test now?"