A Congress committee has released a damning “report card” on US government computer security, highlighting the particular failings of the Homeland Security, State and Defence Departments.
The annual security report card issued by the House of Representatives Committee on Government Reform is based on the reports by chief information officers in each government agency on their compliance with the Federal Information Security Management Act (Fisma).
The 2005 report card gives the US government overall a D+ grade for the second year running, with the Homeland Security, State and Defence departments receiving the lowest possible F grade.
The health and human services department also received an F grade, while the justice department received a D, down from a B- grade in 2004.
Committee chair Tom Davis slammed the results, “None of us would accept D+ grades on our children’s report cards. We can’t accept these either.”
Launching the report card, Davis queried whether the US government was ready for a “digital Pearl Harbour”. Maintaining the integrity, privacy and availability of information on government systems was vital to national security, continuity of operations, the economy and for fighting the “war on terror”, he said.
“Due to the nature of our cyber infrastructure, an attack could originate anywhere at any time. We know that government systems are prime targets for hackers, terrorists, hostile foreign governments, and identity thieves,” he warned.
But Davis added: “Our analysis reveals that the scores for the Departments of Defence, Homeland Security, Justice and State – the agencies on the front line in the war on terror – remained unacceptably low or dropped precipitously.”
Some agencies had made improvements in planning configuration management, staff security training, accrediting systems and annual testing, Davis said.
But he added: “Despite these advances, there are still some areas of concern to the committee, including implementation of configuration management policies, specialised security training for employees with significant security responsibilities, inconsistent incident reporting, inconsistencies in contingency plan testing, annual testing of security controls, and agency responsibility for contractor systems.”