U.S. Government Fails to Make Security Grade

Computer Security Report Card shows 14 of 24 federal agencies flat out flunked their efforts to improve network safety.

For the second year running, the federal government has flunked Computer Security 101.

The 24 major agencies of the U.S. government performed so poorly this year that lawmakers charged with overseeing government efficiency want to tie agencies funding to network security procedures and force them to buy software only from a list of "qualified" products.

Despite the redoubled attention to security since the terrorist attacks of Sept. 11, 2001, 14 of 24 federal agencies flat out flunked their efforts to improve network safety, according to the Computer Security Report Card released last month by the House Subcommittee on Government Efficiency, Financial Management and Intergovernmental Relations. This fall, the subcommittee concluded that every major agency in the federal government houses significant network security weaknesses.

Perhaps most worrisome, some agencies--including some that conduct highly confidential activity--fared even worse than they did a year ago. The National Aeronautic & Space Administrations score fell to a D-plus from a C-minus, and the Department of States score fell to an F from a D-plus.

The scores are based on numerous criteria, including employee training, access controls, incident reporting procedures, system software, mechanisms to ensure the security of contractor services, and the use of performance measures, among other things. The data comes from reports that the agencies send to the Office of Management and Budget and audits conducted by inspectors general and the General Accounting Office.

Demonstrating the paradox of trying to promote improved security via public disclosure, the subcommittee declined to release detailed evaluations of each agency.

"With computer security, it is not necessarily in the best interest of everybody to identify specific problems," an aide on the subcommittee said. "The agencies know, and they are the people who need to get going on this."

The Social Security Administration made the highest grade this year, rising to a B-minus from last years C-plus. "[T]he Social Security Administration continues to be a shining example of sound leadership and focused attention toward solving this important problem," subcommittee chairman Stephen Horn, R-Calif., said upon disclosing the grades.

The Nuclear Regulatory Commission earned the third highest grade this year with a "C," which does not appear remarkable until viewed in comparison with last years failing grade.

In addition to tying funding to computer security, the government should set minimum security standards for commercial off-the-shelf software purchased by federal agencies, the subcommittee recommended in a report titled "Making Federal Computers Secure: Overseeing Effective Information Security Management."

The panel suggested that agencies be given a list of qualified software products, based on tests by developers or by an independent government agency, such as NIST or the National Security Agency.

"The current practice of releasing software without adequate security testing and then developing patches to fix vulnerabilities creates an untenable burden on Government systems administrators," the subcommittee complained in the report.

Lawmakers noted that the White Houses Office of Management and Budget began using funding to try to improve computer security last year. OMB, which is requiring agencies to identify weaknesses and submit plans for addressing them, plans to end funding IT projects that dont include security requirements.

In the past year, there have been significant attacks on federal computers at the White House, the Pentagon and the Department of Treasury, among others. Lawmakers advised that senior managers pay more attention to network security and promote better education within the ranks. They also suggested that all departments implement performance measures and integrate security into their budget planning.

The subcommittee was chaired by Horn, who is retiring at the end of this session, so it remains unknown whether there will be a Computer Security Report Card compiled in 2003.