Congress: Agency IT security improvement slight

Despite the Office of Management and Budget's emphasis on cybersecurity over the past four years, the federal government is barely secure ? and Congress is frustrated.

Seven agencies, including the Homeland Security Department, received failing grades, and five others received Ds for their efforts to secure their IT systems, according to the fifth annual Federal Computer Security Grades handed out today by Rep. Tom Davis (R-Va.), chairman of the Government Reform Committee.

Overall, agencies scored a 67.3 out of 100, which is a D, for 2004, an improvement of 2.3 points over 2003. The committee reviewed agency Federal Information Security Management Act reports to come up with the grades.

"The vulnerabilities of our systems are significant, and the potential damage that can be done is almost unspeakable," Davis said. "A lot of agency managers view this as a cost-avoidance measure instead of a bigger issue. We have made progress, but I wish agencies would move faster."

Davis said he was frustrated by the slow progress overall but encouraged by some individual agencies, such as the State Department, which improved its score by 30 points to a D.

"FISMA has made us a better and more effective agency," said State CIO Bruce Morrison. "It has been taken seriously by our executive management, and that is one of the reasons we improved."

The Transportation Department made the biggest jump going from a D to an A-. The Agency for International Development received the only other A, scoring a 99 out of 100.

"We came up with a methodology to use across all agencies, and we vetted it with our inspector general to make sure it measured security in an appropriate way," Transportation CIO Dan Matthews said. "Secretary [Norman] Mineta also made it a priority and strongly encouraged us to stay on track."

The departments of Agriculture, Commerce, Energy, Health and Human Services, Housing and Urban Development and Veterans Affairs joined DHS in earning failing scores for IT security.

"DHS needs stronger management," Davis said, "but they also have other issues on the front burner that may [cause them to] take their eye off the ball."

Along with the report card, Davis introduced a new program to provide chief information security officers with best practices and support from the public and private sector.

The CISO Exchange will bring together industry and agency security experts at quarterly meetings to discuss issues and lessons learned, and produce a report on federal IT security priorities and operational issues.

Justice Department CIO Vance Hitch and Government Reform Committee staff director Melissa Wojciak will lead the council, which will hold its first meeting in May.

"It is hard to get your grades up and keep them up," Hitch said. "The threat increases all the time, and constant effort is not enough. You have to do new and innovative things to improve your performance."

Davis said the private-sector participants have not yet been named.

"This group provides federal CISOs with a structured forum for education, information sharing and collaboration with the private-sector IT security community," Davis said.