Government gets near-failing grade on FISMA scorecard

The federal government as a whole continues to struggle with securing its computer networks, according to the latest round of FISMA grades released by the House Government Reform Committee. Agencies earned an overall D for their efforts, the same grade as last year.

Failure to make progress overall provided an opportunity for national politics to shade the tone of today's committee hearing on the grades, as Democratic representatives questioned how secure the country could be if departments charged with protection couldn't protect their own networks.

Before partisanship could set in, however, Rep. Tom Davis (R-Va.) commended agencies for making progress in several areas, including development of configuration management plans, training employees in security, developing and maintaining inventories of their systems, and certifying and accrediting their systems. He was dismayed, however, that several departments hadn't completed inventorying their systems, making it impossible to track what security improvements had been made.

After several highly publicized incidents of customers' and citizens' personal data being lost or stolen, Davis said Congress is considering a national standard for data breach notifications. He asked Karen Evans, administrator of the Office of E-Government and Information Technology in the Office of Management and Budget, whether government agencies currently notify citizens when their information is compromised.

Evans said OMB believes the Privacy Act has provisions that address the issue of notification, but asked for time to look into the issue.

Of the 24 agencies that received FISMA grades, seven earned A-level marks: the Agency for International Development, Environmental Protection Agency, General Services Administration, National Science Foundation, Office of Personnel Management, Social Security Administration and the Labor Department (the only department to receive such a high score). USAID was the sole entity to earn an A the past two years.

But the distribution of grades among the remaining 17 agencies was noticeably lower, with 13 receiving a D or F. Nine of the agencies flunked this year, up from seven last year, including the departments of Homeland Security and Defense, which opened the door to grilling by Democratic members of the committee.

Rep. Diane Watson (D-Calif.) questioned the basic competence of leadership at the two departments, asking sarcastically if the committee staff had calculated the grades wrong, and scolding them for claiming the departments are making progress despite their failing grades.

"What's happening with our two most strategic agencies?" Watson asked Robert Lentz, DOD's director of information assurance and assistant secretary for networks and information integration, and Scott Charbo, CIO at DHS.

When Watson finished, Davis stepped in and asked whether the poor grades were due to the size of DHS and DOD, and the complexity of their missions.

Charbo was firm that DHS had made progress, pointing out that last year only 26 percent of the department's systems were accredited, while by the end of February 2006 more than 60 percent of the systems had been accredited.

"In just five months the department has more than doubled the number of accredited systems, and it is on track to make the goal of full remediation by the end of this year," he testified.

Lentz, on the other hand, pointed out that DOD is busy conducting a war and is reconfiguring its systems on the fly to keep up with warfighters' needs.

After the hearing, Davis said he understands the difficulties of very large departments wrestling with the requirements of FISMA, but holding such hearings on their poor performance is one of the few ways they can be held accountable.

Patience Wait is a staff writer for Washington Technology's sister publication, Government Computer News.