The Committee on Government Reform gave the agency, which in the aftermath of the Sept. 11 terrorist attacks was charged with protecting the nation from threats, a failing grade for network security the second year in a row Thursday. And DHS wasn't the only U.S. federal agency to receive a poor mark in what has become an annual report card on federal computer security.
Overall, the government received a D+.
Five of the 24 agencies, including the Department of Commerce and the Treasury Department, received D grades. Eight of them, including the Department of Justice, the Department of Defense and the State Department all failed. The Department of Health and Human Services, which would manage the country's response to the bird flu if it came within U.S. borders, also received an F.
''This year, the federal government, as a whole, hardly improved, receiving a D+ yet again,'' Rep. Tom Davis (R-Va.), chairman of the House Government Reform Committee, told a hearing on Capitol Hill yesterday. ''Our analysis reveals that the scores for the Departments of Defense, Homeland Security, Justice, State -- the agencies on the front line in the war on terror -- remain unacceptably low or dropped precipitously.''
The results are from the fourth-annual network security review of government agencies under the Federal Information Security Management Act (FISMA).
This year, 10 agencies showed improvement with the National Aeronautics and Space Administration, for instance, raising its score from a D- in 2004 to a B- in 2005.
Eight agencies received a worse grade this time around. The Department of Justice went from a B- in 2004 to a D in 2005, and the Nuclear Regulatory Commission dropped from a B+ to a D-.
Five agencies, including DHS, the Department of Veterans Affairs and the Department of Energy, maintained a failing grade year over year.
Davis said the committee is concerned about several specific areas of network security: specialized training for workers with significant security responsibilities, inconsistent incident reporting, implementation of configuration management policies, annual testing of security controls and agency responsibility for contractor systems.
Gregory C. Wilshusen, director of Information Security Issues at the U.S. Government Accountability Office, told those at the hearing that information security has long been identified as a government-wide, high-risk issue.
''For many years, we have reported that poor information security is a widespread problem that has potentially devastating consequences,'' he said. ''The degree of risk caused by security weaknesses is high. The weaknesses we identified place a broad array of federal operations and assets at risk.''
Wilshusen pointed to problems with many agencies' contingency plans. ''Agencies reported that only 61 percent of their systems had tested contingency plans, thereby reducing assurance that agencies will be able to recover from the disruption of those systems with untested plans,'' he said. ''Although this number continues to show small increases each year since 2003... five agencies reported less than 50 percent of their systems had tested contingency plans.''
Another report released Thursday by INPUT, a Reston, Va.-based analyst firm and consultancy focused on government business, also gave the government dismal computer security marks.
The report called FISMA ''largely ineffective''.
''FISMA has become a largely paperwork drill among the departments and agencies, consuming an inordinate amount of resources for reporting progress, while putting in place very little in the way of actual security improvements,'' Bruce Brody, vice president of information security at INPUT, said in a written statement.
Scott Charbo, chief information officer of the Department of Homeland Security, was upbeat in his statement in front of the hearing, despite his agency's results on this year's score card.
''The department's [information security] program has come a long way in just three short years,'' he said, adding that the agency's work has ''paved the way for real and measurable cyber security improvements in the near future... I am confident that the DHS Information Security Program is moving in the right direction.''
Chairman Davis, though, voiced his concerns in his opening statement. ''If FISMA was the No Child Left Behind Act, a lot of critical agencies would be on the list of 'low performers','' he said. ''None of us would accept D+ grades on our children's report cards. We can't accept these either.''