Federal agency security still poor, but improving

Federal agencies improved their computer security over the past year but still managed to score only a D-plus in the annual Federal Computer Security Scorecard issued by Congress.

This year's average grade of 67.3 out of a possible 100 represents an improvement of 2.3 points over the D issued for last year and the F grades for both 2001 and 2002.

Seven of the 24 largest agencies received failing grades, including the Departments of Energy, Veterans Affairs and Homeland Security, which oversees the National Cyber Security Division and is partly responsible for defending the nation's Internet infrastructure against attack.

"There's good news and bad news," said Rep. Tom Davis [R-Va.], chairman of Government Reform Committee, which issues the report cards based on information submitted by the inspector general of each agency.

Check out the 2003 report When a 'D' in cybersecurity is seen as an improvement

"Information security is more important now and taken more seriously than ever, but all it takes is one weak link to break the chain and the potential damage that can be done almost unspeakable," Davis added.

The release of the report cards coincided with a private study from Telos Corp., which surveyed 30 federal CSOs to get their take on the grading process. The Ashburn, Va.-based company provides systems integration and security solutions, primarily to government customers.

Telos CSO Richard Tracy said the survey showed some shortcomings in the report card process, with many CSOs noting a lack of connection between the report card grades and overall IT or computer security funding for an agency.

"This begs the question: What's the point of evaluating or grading if there are no incentives or financial outcomes?" Tracy said.

Davis said tying the grades to funding, to create incentives for improvements, may be considered in the future. No specific information on security shortcomings is issued for security reasons, but Davis said concerns go beyond the threat of catastrophic attacks on federal systems to include nuisance attacks from spam, viruses and attempts at identity theft.

Davis, who helped draft the Federal Information Security Management Act [FISMA], which established benchmarks used to measure compliance, said the grades were not meant to embarrass agencies that fare poorly. "We're moving in the right direction," he said. "We're moving the ball down the field."

Davis singled out the Departments of State and Transportation (DOT) for marked improvement in the past year. Though State still received a D-plus, its score jumped 30 points from a failing grade the year before.

DOT, meanwhile, saw its grade jump to an A-minus from a D-plus last year, making it one of just two agencies to receive an A. The other was given to the Agency for International Development, which had a score of 99.

Daniel P. Matthews, the CIO of DOT, credited widespread cooperation from key people within the agency for the improvements but warned against considering a high grade an end result. "The threat is ever-shifting and those who would harm us seek new methodologies every day," he said. "We can't rest."

Other improvements were seen in Department of the Interior, which failed last year and garnered a C-plus and the Department of Justice, where an F last year became a B-minus.

Davis also announced that his office would help form the public-private CISO Exchange, an informal quarterly meeting among government and private sector security executives to discuss security issues and exchange ideas. The first meeting of the group, which will be overseen by Justice Department CIO Vance Hitch, will begin meeting in May.