Uncle Sam Earns "C-Minus" in Computer Security
The federal government earned an overall grade of "C-minus" last year for securing its computer systems and networks from hackers, malicious insiders and viruses, a slight improvement from scores awarded to agencies in 2005, Security Fix has learned.
Last year, 24 federal agencies earned a government-wide grade of D-plus in meeting computer and network security requirements. Security Fix will have more details on the individual agency grades late Thursday morning, but according to sources familiar with the process, this year's results are a mixed bag. Many agencies that won high marks this year turned in worse performances in 2005 and vice versa.
The grades will be released at an event Thursday at the Center for Innovative Technology in Herndon, Va., by Rep. Tom Davis, the Virginia Republican who authored the law mandating these grading requirements.
Davis is the ranking member of the House Committee on Oversight and Government Reform. When I received a tip that the report cards were going to be released this week, I contacted the majority office to follow up on the rumor, as the Democrats of course now control Congress.
When I contacted the majority office on Tuesday, I was told privately that my source was probably misinformed, as the committee wasn't slated to release the grades until May, when it planned to hold a hearing on them. Less than 24 hours later, Davis's office issued a press release saying the grades would be released Thursday.
Democrats on the committee's majority staff said they were caught off-guard by the announcement. Davis staff director Dave Marin said this is the first time panel Democrats have expressed interest in the annual reports.
"We've done this every year, and each time the Democrats have shown no interest whatsoever," Marin said. "It's not a committee function, and there's nothing in the law or [regulations] that says the committee has ownership of the grades. That said, we welcome participation and feedback from any Democrats who are interested."
For the past several years, I attended the hearings where the grades were released. Almost without exception, the sole lawmaker in attendance was former Rep. Stephen Horn, the droll Republican from California who headed one of the Government Reform subcommittees.
The grades are based on the agencies' internal assessments and information they are required to submit annually to the White House Office of Management and Budget. The letter grades depended on how well agencies met the requirements detailed in the Federal Information Security Management Act.
The 2003 law, known as FISMA, requires agencies to meet a wide variety of computer security standards, ranging from operational details -- such as ensuring proper password management by workers and restricting employee access to sensitive networks and documents -- to creating procedures for reporting security problems.
The comments to this entry are closed.