computerworld.com
Congress rips DHS, DOD for low cybersecurity grades
DHS and DOD pull F's in annual government assessment
News Story by Grant Gross
MARCH 16, 2006 (IDG NEWS SERVICE) - Members of the U.S. Congress today lectured technology executives at two major security agencies for failing cybersecurity scores, with one congresswoman saying she doesn't feel safe because of the problems.
"What's happening at the two most strategic and sensitive agencies?" said U.S. Rep. Diane Watson, commenting on the F grades given to the Department of Homeland Security and the Department of Defense by the House Government Reform Committee. "Is there incompetence? Is there cronyism?
"I don't feel comfortable that my homeland is secure," Watson added during a committee hearing, a day after the committee released the 2005 cybersecurity scores for 24 major U.S. government agencies.
The DHS and DOD both received F grades for 2005, with DOD declining from a D grade in its 2004 score. Six other agencies, including the departments of State and Energy, also received Fs. Seven agencies received grades of A- or better, with the Department of Labor and the Social Security Administration among five agencies receiving A+ grades.
Committee Chairman Tom Davis, a Virginia Republican, said improved cybersecurity at federal agencies is "vital" to national security and the U.S. economy. "When it comes to federal IT policy and information security, it is still difficult to get people -- even members of Congress -- engaged," Davis said. "None of us would accept D+ grades on our children's report cards. We can't accept these either."
Technology executives at both agencies said their size, their widely dispersed employees and their varied missions contributed to a complex and quickly changing IT environment. Both agencies said they've made dramatic improvements in recent months.
The DOD deploys networks on the fly for soldiers and sailors, said Robert Lentz, director of information assurance for DOD. "We have very large and very diverse, dynamic organization deployed worldwide," Lentz said. "Things are changing all the time."
Karen Evans, administrator of the White House Office of Management and Budget's Office of E-Government and Information Technology, agreed that large agencies can have a tougher time complying with the Federal Information Security Management Act (FISMA), passed by Congress in 2002. FISMA requires agencies to complete IT inventories, test for security vulnerabilities and develop remediation plans in the event of major attacks or outages.
"It sounds as if you are defending the incompetency of DHS," responded Rep. William Lacy Clay, a Missouri Democrat.
DOD has made several recent improvements, Lentz said. The agency has begun a process to track IT security personnel and security certifications, he said, and it conducted cybersecurity training for 2 million of the 2.6 million DOD military, civilian and contract workers who had access to DOD networks, he said.
DHS, which began operations in March 2003, completed a systems and applications inventory in August, said Scott Charbo, the DHS chief information officer. The agency also rolled out a systems certification and accreditation tool in April, he said. About 26% of its IT equipment was accredited as of late 2005, and that number is now up to 60%, he said.
Davis noted that DHS is a relatively new agency that brought together more than 20 U.S. agencies when it was formed. "This is a work in progress," he said. "This takes years."
Charbo agreed but said his agency needs to do better. "That still doesn't change the fact that ... we're nowhere near where we wanted to be," he said.
Agencies that dropped from their 2004 scores included the Department of Transportation, which fell from an A- to a C-, the Nuclear Regulatory Commission, which went from a B+ to a D-, and the Department of the Interior, which dropped from a C+ to an F.
The annual scorecards are based on reports submitted to Congress by the different government agencies, as mandated by the Federal Information Security Management Act of 2002 (FISMA).
The reports are designed to gauge whether the departments meet federally mandated security standards, but according to one observer, they say very little about the security of the IT systems in those departments.
"You get a very low score if you haven't finished a whole bunch of reports called Certification & Accreditation Reports," said Alan Paller, director of research at the SANS Institute, a computer security training organization in Bethesda, Md. "They're 90% documentation of the system."
"Even the consultants that write these reports have never secured a computer system," he added. "They wouldn't know a secure system if they met it on the street."
Rather than looking at whether agencies are meeting FISMA requirements, the government should adopt scorecards that measure the real-world "readiness" of its computer systems, much as the military reports on the battle readiness of its weapon systems, Paller said.
Robert McMillan of IDG News Service contributed to this story.