U.S. Agencies Fail Cybersecurity Tests

The U.S. departments of Defense and State received F grades, and Homeland Security a D, in the latest scorecard measuring their information security measures.

The Department of Homeland Security's 2006 grade improved slightly from 2005, when it received an F. Representative Tom Davis, a Virginia Republican, said it was "troubling" that three of the main agencies fighting terrorism received low grades again in their compliance with the Federal Information Security Management Act. FISMA, passed in 2002, evaluates agency cybersecurity efforts in a number of areas.

Asked whether the U.S. public should be confident those three agencies are protecting against cyber terrorism, Davis said, "It doesn't give me a lot of confidence."

Overall, the U.S. government received a C minus grade, compared to a D plus last year.

Davis, who sponsored FISMA, said he was encouraged by the general improvement, but more needs to be done. "When it comes to information security, the federal government can and should be a leader," he said at a press conference Thursday.

A handful of agencies improved their FISMA grades significantly. The Department of Housing and Urban Development improved from D plus to A plus, the Department of Justice improved from D to A minus, and the Department of Health and Human Services improved from an F to a B.

Despite the D grade, Davis defended the Department of Homeland Security, saying it was still working to integrate the 22 agencies merged to create it in 2002. The creation of the department was a "horrendous, complicated deal," he said.

"It's a work in progress, and it's going to take some time," he said of DHS cybersecurity efforts.

But Davis had no kind words for the Department of Defense. He called it a "badly managed agency" with each military branch focusing on its own technology.

But Alan Paller, director of research at the SANS Institute, said DHS's success stories in helping improve U.S. cybersecurity "can be counted on the fingers of one hand."

"The worst indictment, however is the department's failure to lead by example," Paller added. "Other [chief information officers] in governments and corporations have a right to look to the DHS CIO and his security people for models of excellence in cybersecurity. They won't find it there."

It was a mistake to move the primary responsibility for the government's cybersecurity out of the White House and Justice Department, he added. The move was "a big, expensive error -- one that will take along time to fix," he said.

Karen Evans, administrator of e-government and information technology in the White House Office of Management and Budget (OMB), said she was encouraged by some improvement in the FISMA scores, but she wasn't satisfied. "I would not accept a C minus on my kids' report cards," she said. "Average is not good enough."

(Robert McMillan in San Francisco contributed to this report.)

Subscribe to the Security Watch Newsletter

Comments