recent posts

Web Fraud 2.0: Distributing Your Malware
Opera Update Plugs Multiple Security Holes
Web Fraud 2.0: Digital Forgeries
Web Fraud 2.0: Validating Your Stolen Goods
Web Fraud 2.0: Cloaking Connections

Stories by Category

Stories By Date

related links

The Archives
Security Fix Live: Web Chats
About This Blog
Password Primer
7 Security Tips
Technology Section

syndicate

About This Blog   |   Archives   |   RSS Feeds RSS Feed   (What's RSS?)

Uncle Sam Earns "C-Minus" in Computer Security

The federal government earned an overall grade of "C-minus" last year for securing its computer systems and networks from hackers, malicious insiders and viruses, a slight improvement from scores awarded to agencies in 2005, Security Fix has learned.

Last year, 24 federal agencies earned a government-wide grade of D-plus in meeting computer and network security requirements. Security Fix will have more details on the individual agency grades late Thursday morning, but according to sources familiar with the process, this year's results are a mixed bag. Many agencies that won high marks this year turned in worse performances in 2005 and vice versa.

The grades will be released at an event Thursday at the Center for Innovative Technology in Herndon, Va., by Rep. Tom Davis, the Virginia Republican who authored the law mandating these grading requirements.

Davis is the ranking member of the House Committee on Oversight and Government Reform. When I received a tip that the report cards were going to be released this week, I contacted the majority office to follow up on the rumor, as the Democrats of course now control Congress.

When I contacted the majority office on Tuesday, I was told privately that my source was probably misinformed, as the committee wasn't slated to release the grades until May, when it planned to hold a hearing on them. Less than 24 hours later, Davis's office issued a press release saying the grades would be released Thursday.

Democrats on the committee's majority staff said they were caught off-guard by the announcement. Davis staff director Dave Marin said this is the first time panel Democrats have expressed interest in the annual reports.

"We've done this every year, and each time the Democrats have shown no interest whatsoever," Marin said. "It's not a committee function, and there's nothing in the law or [regulations] that says the committee has ownership of the grades. That said, we welcome participation and feedback from any Democrats who are interested."

For the past several years, I attended the hearings where the grades were released. Almost without exception, the sole lawmaker in attendance was former Rep. Stephen Horn, the droll Republican from California who headed one of the Government Reform subcommittees.

The grades are based on the agencies' internal assessments and information they are required to submit annually to the White House Office of Management and Budget. The letter grades depended on how well agencies met the requirements detailed in the Federal Information Security Management Act.

The 2003 law, known as FISMA, requires agencies to meet a wide variety of computer security standards, ranging from operational details -- such as ensuring proper password management by workers and restricting employee access to sensitive networks and documents -- to creating procedures for reporting security problems.

By Brian Krebs |  April 11, 2007; 5:01 PM ET From the Bunker , Misc.
Previous: Critical Vista Flaw Leads Patch Tuesday Lineup | Next: Microsoft Warns of Attacks on Web Service Flaw

Comments

Please email us to report offensive comments.



This surprises anyone?

Government IT in general is a joke, no matter what agency that we are talking about.

The people in the decision making posts within management are truely clueless (untrained, no experience, unwilling to listen) to IT in general.

Posted by: Anonymous | April 11, 2007 6:31 PM

"The people in the decision making posts within management are truly clueless (untrained, no experience, unwilling to listen) to IT in general."

Exactly! I've experienced this first hand having worked in local government. IT is dictated to by people that have no business doing so. You can equate it to hospital management telling a doctor how to perform surgery.

It is simple mind-boggling how backwards the whole thing is!

It's all about risk management. Unfortunately, organizations are willing to take huge risks because so far they are allowed to get away with it. At some point though, it will come back to bite them!

Posted by: TJ | April 11, 2007 7:25 PM

While the government is so intent on spying on its own citizens, it cannot obviously control its own security systems. Over the past few years, thousands of laptops containing personal information have been lost, and thousands of government systems have been hacked... This is one more proof of the ineptitude, incompetence, and ignorance, of the Bush Administration.

Posted by: Anonymous | April 11, 2007 8:59 PM

Don't you think that when there are too many people standing around that
they get in the way of somebody trying to work? I've noticed that, at least for myself, if I want to work on a computer I'm best left to myself. Federal workers at the South
Pole maybe?

Posted by: Alan B | April 11, 2007 10:56 PM

@ the anon April 11, 2007 08:59 PM poster:

That's quite a stretch to blame the president and his administration for the problem. Ease up on that Kool-Aid my friend.

Posted by: TJ | April 11, 2007 11:42 PM

This is a pretty important benchmark of progress, and it is a good area of government to try to apply one to as well. Without this happening I would not want to think about how awful the security situation would be in the government. This not from inattention, but rather ignorance. The people who needed to care would not know to do so.

I do credit this for a serious improvement in government security since it began. It is not the type of solution that lends itself to every problem, much less every IT problem, but in this case it has worked well.

Posted by: Gentry | April 12, 2007 2:13 AM

Gee, anybody want to guess what grade the White House and RNC email team would get?

Posted by: Common Sense | April 12, 2007 3:40 AM

Whoops! What, more incompetence? I guess George of the Jungle can only put together an administration that belly flops on every occasion.

Posted by: Robert James | April 12, 2007 9:17 AM

I am retired from library work, unionized, and for more than 20 years. I value my PERS pension, but always there are the workers and the drones. It has been the same from time immemorial, but the situation is more scary now. I nearly lost my job once when I reported a stolen computer to the mayor instead of my boss--not the proper chain of command. She was not at work and the mayor was.

Posted by: Susan Dawson | April 12, 2007 10:23 AM

Two things. First of all, how is it not possible for Microsoft to share in the blame and responsibility for this? Second, why is data from the government available on the public internet? The government maintains a number of secure private networks and it is, IMHO, irresponsible to the point of being criminal to continue to put data, especially data that could in any way lead to a breach in national security, on the public internet. All too often these days I see the security industry pointing to military style solutions to secure the public internet space. Is this really what we want? Reference taosecurity.blogspot.com

Posted by: Anthony | April 20, 2007 12:47 PM

The comments to this entry are closed.

 
 

©  The Washington Post Company