Expert: Agencies years from average FISMA grades

It will take at least five years for government agencies to achieve even middling grades for compliance with the Federal Information Security Management Act, a former White House official said.

Roger Cressey, former chief of staff to the President's Critical Infrastructure Protection Board and current president of Good Harbor Consulting LLC, said it would take that long for agencies to receive "Cs across the board," because cybersecurity doesn't command the type of resources that physical security issues command.

Cressey spoke yesterday at the Gartner IT Security Summit in Washington.

According to the 2003 Federal Security Report Card, prepared by the House Government Reform subcommittee on technology, information policy, intergovernmental relations and the census, 14 of 24 federal departments earned grades below C and eight failed.

"If nobody dies in a cyberattack, it's not a priority," Cressey said. "That's the mentality" at the Homeland Security Department. He said he blames himself and other IT security proponents for failing to convince the department that it needs to pay more attention to cybersecurity.

Cressey criticized the Bush administration for not doing enough to foster cooperation between the government and industry in securing the nation's IT infrastructure. In particular, Cressey said the government wanted help from industry but wasn't prepared to give assistance back. He cited the Protected Critical Infrastructure Information program, which was established in February to seek sensitive and proprietary business information in order to help protect critical infrastructure.

"There have been only six PCII submissions since February," Cressey said.

He cautioned integrators that the time will come when Congress takes it upon itself to ensure cybersecurity.

"Do what you can to help your agency, or Congress will help your agency for you," Cressey said. "And it won't be to your benefit."