Homeland Security likely to flunk security

Find opportunities — and win them.

For the third year in a row, the Homeland Security Department is expected to receive an "F" grade in protecting its computers and IT networks from security breaches.

For the third year in a row, the Homeland Security Department is expected to receive an "F" grade in protecting its computers and IT networks from security breaches, according to a Washington Post article providing advance notice of the grades.

The Post, which owns Post Newsweek Tech Media, said it obtained an advanced copy of portions of the 2005 federal agency cybersecurity grades to be released by the House Government Reform Committee today. The annual benchmarks show how well federal agencies are doing in complying with the Federal Information Security Management Act, or FISMA. The act establishes protections against hackers, viruses and other cyber-risks.

Other federal agencies receiving failing marks for 2005 ? the same as in 2004 ? include the departments of Agriculture, Defense, Energy, State, Health and Human Services, Transportation and Veterans Affairs, the Post reported. The governmentwide grade for cybersecurity for 2005 is expected to be a "D-plus."
Earning As in the report are the Agency for International Development, Environmental Protection Agency, General Services Administration, National Science Foundation, Social Security Administration, Office of Personnel Management and Labor Department.

FISMA, enacted five years ago, is intended to assist the government in boosting its security. But an analyst at Input Inc., a market research firm in Reston, Va., said today that FISMA has been ineffective because it focuses too much on paperwork.

"FISMA has become a largely paperwork drill among the departments and agencies, consuming an inordinate amount of resources for reporting progress while putting in place very little in the way of actual security improvements," Bruce Brody, vice president, information security at Input, said in a news release.

"Moreover, the system-by-system and site-by-site approach to reporting information security issues does not recognize the importance of backbone infrastructure security improvements," he said.