[Infowarrior] - Uncle Sam Earns "C-Minus" in Computer Security

[Richard Forno]

Uncle Sam Earns "C-Minus" in Computer Security

http://blog.washingtonpost.com/securityfix/?hpid=news-col-blogs

The federal government earned an overall grade of "C-minus" last year for
securing its computer systems and networks from hackers, malicious insiders
and viruses, a slight improvement from scores awarded to agencies in 2005,
Security Fix has learned.

Last year, 24 federal agencies earned a government-wide grade of D-minus in
meeting computer and network security requirements. Security Fix will have
more details on the individual agency grades late Thursday morning, but
according to sources familiar with the process, this year's results are a
mixed bag. Many agencies that won high marks this year turned in worse
performances in 2005 and vice versa.

The grades will be released at an event Thursday at the Center for
Innovative Technology in Herndon, Va., by Rep. Tom Davis, the Virginia
Republican who authored the law mandating these grading requirements.

Davis is the ranking member of the House Committee on Oversight and
Government Reform. When I received a tip that the report cards were going to
be released this week, I contacted the majority office to follow up on the
rumor, as the Democrats of course now control Congress.

When I contacted the majority office on Tuesday, I was told privately that
my source was probably misinformed, as the committee wasn't slated to
release the grades until May, when it planned to hold a hearing on them.
Less than 24 hours later, Davis's office issued a press release saying the
grades would be released Thursday.

Democrats on the committee's majority staff said they were caught off-guard
by the announcement. Davis staff director Dave Marin said this is the first
time panel Democrats have expressed interest in the annual reports.

"We've done this every year, and each time the Democrats have shown no
interest whatsoever," Marin said. "It's not a committee function, and
there's nothing in the law or [regulations] that says the committee has
ownership of the grades. That said, we welcome participation and feedback
from any Democrats who are interested."

For the past several years, I attended the hearings where the grades were
released. Almost without exception, the sole lawmaker in attendance was
former Rep. Stephen Horn, the droll Republican from California who headed
one of the Government Reform subcommittees.

The grades are based on the agencies' internal assessments and information
they are required to submit annually to the White House Office of Management
and Budget. The letter grades depended on how well agencies met the
requirements detailed in the Federal Information Security Management Act.

The 2003 law, known as FISMA, requires agencies to meet a wide variety of
computer security standards, ranging from operational details -- such as
ensuring proper password management by workers and restricting employee
access to sensitive networks and documents -- to creating procedures for
reporting security problems.