Wednesday, September 22, 2021

Feds Nearly Fail Cybersecurity… Again

The Department of Homeland Security isn’t all that secure… at least

when it comes to its computer systems.

The Committee on Government Reform gave the agency, which in the

aftermath of the Sept. 11 terrorist attacks was charged with protecting

the nation from threats, a failing grade for network security the second

year in a row Thursday. And DHS wasn’t the only U.S. federal agency to

receive a poor mark in what has become an annual report card on federal

computer security.

Overall, the government received a D+.

Five of the 24 agencies, including the Department of Commerce and the

Treasury Department, received D grades. Eight of them, including the

Department of Justice, the Department of Defense and the State Department

all failed. The Department of Health and Human Services, which would

manage the country’s response to the bird flu if it came within U.S.

borders, also received an F.

On the other side of the grading curve, seven agencies, including the

Department of Labor, the Social Security Administration and the

Environmental Protection Agency, received A grades.

”This year, the federal government, as a whole, hardly improved,

receiving a D+ yet again,” Rep. Tom Davis (R-Va.), chairman of the House

Government Reform Committee, told a hearing on Capitol Hill yesterday.

”Our analysis reveals that the scores for the Departments of Defense,

Homeland Security, Justice, State — the agencies on the front line in

the war on terror — remain unacceptably low or dropped precipitously.”

The results are from the fourth-annual network security review of

government agencies under the Federal Information Security Management Act

(FISMA).

This year, 10 agencies showed improvement with the National Aeronautics

and Space Administration, for instance, raising its score from a D- in

2004 to a B- in 2005.

Eight agencies received a worse grade this time around. The Department of

Justice went from a B- in 2004 to a D in 2005, and the Nuclear Regulatory

Commission dropped from a B+ to a D-.

Five agencies, including DHS, the Department of Veterans Affairs and the

Department of Energy, maintained a failing grade year over year.

Davis said the committee is concerned about several specific areas of

network security: specialized training for workers with significant

security responsibilities, inconsistent incident reporting,

implementation of configuration management policies, annual testing of

security controls and agency responsibility for contractor systems.

Gregory C. Wilshusen, director of Information Security Issues at the U.S.

Government Accountability Office, told those at the hearing that

information security has long been identified as a government-wide,

high-risk issue.

”For many years, we have reported that poor information security is a

widespread problem that has potentially devastating consequences,” he

said. ”The degree of risk caused by security weaknesses is high. The

weaknesses we identified place a broad array of federal operations and

assets at risk.”

Wilshusen pointed to problems with many agencies’ contingency plans.

”Agencies reported that only 61 percent of their systems had tested

contingency plans, thereby reducing assurance that agencies will be able

to recover from the disruption of those systems with untested plans,” he

said. ”Although this number continues to show small increases each year

since 2003… five agencies reported less than 50 percent of their

systems had tested contingency plans.”

Another report released Thursday by INPUT, a Reston, Va.-based analyst

firm and consultancy focused on government business, also gave the

government dismal computer security marks.

The report called FISMA ”largely ineffective”.

”FISMA has become a largely paperwork drill among the departments and

agencies, consuming an inordinate amount of resources for reporting

progress, while putting in place very little in the way of actual

security improvements,” Bruce Brody, vice president of information

security at INPUT, said in a written statement.

Scott Charbo, chief information officer of the Department of Homeland

Security, was upbeat in his statement in front of the hearing, despite

his agency’s results on this year’s score card.

”The department’s [information security] program has come a long way in

just three short years,” he said, adding that the agency’s work has

”paved the way for real and measurable cyber security improvements in

the near future… I am confident that the DHS Information Security

Program is moving in the right direction.”

Chairman Davis, though, voiced his concerns in his opening statement.

”If FISMA was the No Child Left Behind Act, a lot of critical agencies

would be on the list of ‘low performers’,” he said. ”None of us would

accept D+ grades on our children’s report cards. We can’t accept these

either.”

Similar articles

Latest Articles