A US congressional subcommittee has failed 16 federal agencies on
their computer security efforts, while giving barely passing grades
to a host of others.
"It is disappointing to announce that the federal government has
received a failing grade on its security efforts," said Stephen
Horn, chairman of the congressional Subcommittee on Government
Efficiency, Financial Management and Intergovernmental Relations,
in a scathing report released on 9 November.
The subcommittee began grading 24 major executive branch
departments of the US government after the US Congress passed the
Government Information Security Reform Act, which stipulates that
federal agencies establish agency-wide computer security programmes
that protect the systems that support their missions.
Critical agencies such as the Department of Defence, Department of
Transportation, Department of Health and Human Services, and
Department of Energy, as well as the Nuclear Regulatory Commission,
all received a failing grade.
The dismal report card comes at a particularly sensitive time when
the US is at war in Afghanistan and facing terrorist threats at
home, making the protection of sensitive government information all
the more crucial.
"All of us in Congress are well aware that the nation is in a state
of war," said Horn. "It is not anyone's intention to place this
great land at further risk of attack. It is, however, very
important that the new administration take heed of the sobering
assessment the subcommittee is providing and work expeditiously to
address this most important need."
Other agencies that were handed a failing grade included the
Department of Justice, the Department of Treasury, the Department
of Interior and the Department of Education.
In the meantime, a handful of other agencies barely passed the
test. These include the Federal Emergency Management Agency, the
General Services Administration and the Department of State.
The National Aeronautics and Space Administration scored slightly
below average, while the National Science Foundation merited the
highest grade of the group.
The ratings were determined by security audits and evaluations
performed by agency inspectors general since July 2000, with
standards set by the Office of Management and Budget.
"Without proper protection, the vast amount of sensitive
information stored on government computers could be compromised and
the systems themselves subject to malicious attacks," Horn
warned.
While the report comes as a stark warning to US government agencies
to tighten their security, the subcommittee did recognise some
recent advances within the US government.
However, the subcommittee warned: "Recent reports and events
indicate that these efforts are not keeping pace with the growing
threats, and that critical operations and assets continue to be
highly vulnerable to computer-based attacks."