Putnam said he was particularly troubled by the fact that only five of the 24 agencies did full inventories of their critical information technology, as required by the Federal Information Security Management Act. He said the scorecard results could be flawed, because the majority of grades are based on those incomplete inventories. "We're four years into this, and only five agencies know what [IT assets] they have. It's disturbing," Putnam said. "It does call into question everything else they are reporting [about cybersecurity]."The Government Reform Committee as a whole is concerned about the lack of adequate IT inventories, said David Marin, legislative director for Rep. Tom Davis, R-Va., who chairs the committee. Davis authored FISMA."We can't trust these [scorecard] numbers if we don't have accurate inventories," Marin said. In a statement, Davis said the goal of making computer security a constant management focus at federal agencies has not been realized.Agencies' scores are based on separate fiscal 2003 reports to the Office of Management and Budget by agencies and their inspectors general. The reports are required by FISMA. FISMA, contained in the E-Government Act of 2002, requires annual IT security reviews, reporting and remediation at federal agencies.This year's grades are especially important, because for the first time the grading criteria did not change significantly from the previous year, Putnam said. But the lack of independent reports from three agency inspectors general further calls into question the scorecard results, according to a subcommittee outline of the grading methodology. Scores for the departments of Veterans Affairs, Treasury and Defense "may not reflect the same accuracy as the scores of the other 21 agencies, whose scores are based on more objective reporting," the subcommittee document said. The Treasury Department's inspector general for tax administration did submit a report to OMB on the Internal Revenue Service, which runs about 80 percent of the department's IT systems, the document said. Some agencies' grades jumped significantly, while others' stood still. For the first time in the four years since former Rep. Stephen Horn, R-Calif., started the scorecard, two agencies got As. The Nuclear Regulatory Commission's grade jumped from a C to an A, and the National Science Foundation's grade went from a D- to an A-. However, the departments of Energy, Justice, Interior, Housing and Urban Development and State retained their failing grades year over year, and two agencies' grades fell from 2002. NASA fell from a D to a D-, and the Department of Health and Human Services fell from a D- to an F. The Homeland Security Department got an F in its first year on the scorecard. Various components of the new department came from agencies that have received low cybersecurity scores, including Energy, Transportation and Treasury. "We recognize the difficult reorganization that took place and we expect significant improvement next year," Putnam said about Homeland Security.
The federal government's overall grade on cybersecurity improved over the last year, from an F in 2002 to a D in 2003, according to the fourth annual score card, which was published Dec. 9 by the House Government Reform subcommittee on technology, information policy, intergovernmental relations and the census.
Fourteen agencies improved their grades.
But improvement is still too slow, said Rep. Adam Putnam, chairman of the subcommittee, who said he would take several steps to jumpstart improvements to agencies' cybersecurity efforts.
Fourteen of 24 agencies' grades were below a C, and eight failed.
"We must do more and quicker if we are going to protect ourselves from a potential digital disaster," he said. "There are substantial material weaknesses that expose agencies to potential cyberattacks. The damage that could be inflicted, both in terms of financial loss and potential loss of life, is considerable."
Putnam, R-Fla., said he will communicate to the Appropriations Committee the importance of adequate funding for information security.
"It's important to work with the appropriators so we know if the money is not enough, or if it's too much," he said.
Putnam also said the subcommittee will meet with agency chief information officers to work on plans to improve their cybersecurity.
"We want to see specific remediation plans. We will encourage those who have done well to share their experiences ? how they went from a D- to an A," he said. "I'd like to go to the CIO Council and have a candid dialogue."
In addition, a subcommittee hearing on cybersecurity is planned for early March, after the Office of Management and Budget's report on cybersecurity is released, Putnam said.
Agencies that performed well had these factors in common, according to Putnam:
a full inventory of critical IT assetsidentification of critical infrastructure and mission-critical systemsstrong incident and identification and reporting procedurestight controls over contractorsstrong plans of action for finding and eliminating security problems.