Agencies get failing grades for systems security

Federal government computer systems today received an overall failing grade for security for the second year in a row as Rep. Steve Horn issued his annual report card.

The government's overall score was 55, up from 53 a year ago, and only 14 of 24 executive branch agencies received an F, compared with 16 agencies last year.

Last year's standout agency, the National Science Foundation, dropped from a B to a D-.

This year's top performer was the Social Security Administration, which climbed from a C to a B-. In the cellar this year is the Transportation Department, which scored what Horn called "an appalling 28 points out of a possible 100."

The California Republican issued the grades during a hearing of his House Subcommittee on Government Efficiency, Financial Management and Intergovernmental Relations.

The scores are based on weighted evaluations of each agency's performance in five major areas. The information is drawn from studies by the General Accounting Office, the Office of Management and Budget, and agencies' CIOs and inspectors general.

Key to implementing adequate information security is an agency's CIO, several witnesses said at today's hearing.

"Where we have seen progress, there has been clear action taken to empower the CIO," said Mark Forman, OMB associate director for IT and e-government. "Transportation is one where there is a less-than-powerful CIO."

In fact, said Transportation IG Kenneth M. Mead, "Transportation does not have a CIO." The department has had a permanent CIO for only 18 months since the office was mandated in 1996, Mead said.

Social Security officials attributed the agency's success to a culture of security, which has been implemented from the top down. From its inception, SSA has been concerned about the privacy of the information it maintains, said SSA deputy commissioner and chief operating officer James B. Lockhart III. "That has infused our culture from Day 1."

Forman identified three continuing weakness that make federal systems vulnerable:

  • A lack of system-level security plans and certifications

  • A lack of agreement on the part of many IGs and CIOs as to what their agencies' weaknesses are

  • A lack of prioritization in IT investments.

  • Officials credited the Government Information Security Reform Act for much of the improvement seen in this year's assessment, and witnesses were uniform in their recommendation that it be extended. The law is set to expire Nov. 29. Congress has included provisions making its requirements permanent in the Homeland Security bill now before the Senate.

    Under GISRA, OMB requires agencies to include IT security in their annual budget proposals or risk losing funding.

    "There were a number of proposals last year we put on the high-risk list" because of IT security problems identified in GISRA reports, Forman said.

    OMB also issues an annual report to Congress on the state of IT security. The next report is due in February. Forman said there would likely be some discrepancies between his report and the report card. For instance, he said his staff had found that the Justice Department, which received a failing score of 56 on the report card, had made more progress than the report card indicated.

    The grades, ranked in order of best to worst:

  • Social Security Administration: B-

  • Labor Department: C

  • Nuclear Regulatory Commission: C

  • Commerce Department: D

  • NASA: D

  • Education Department: D

  • General Services Administration: D

  • Environmental Protection Agency: D-

  • Health and Human Services: D-

  • National Science Foundation: D-

  • Agency for International Development: F

  • Agriculture Department: F

  • Defense Department: F

  • Energy Department: F

  • Federal Emergency Management Agency: F

  • Housing and Urban Development Department: F

  • Interior Department: F

  • Justice Department: F

  • Office of Personnel Management: F

  • Small Business Administration: F

  • State Department: F

  • Transportation Department: F

  • Treasury Department: F

  • Veterans Affairs Department: F

  • About the Author

    William Jackson is a Maryland-based freelance writer.

    Reader Comments

    Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

    Please type the letters/numbers you see above.


    WT Daily

    Sign up for our newsletter.

    Terms and Privacy Policy consent

    I agree to this site's Privacy Policy.