The Department of Homeland Security isn’t all that secure… at least
when it comes to its computer systems.
The Committee on Government Reform gave the agency, which in the
aftermath of the Sept. 11 terrorist attacks was charged with protecting
the nation from threats, a failing grade for network security the second
year in a row Thursday. And DHS wasn’t the only U.S. federal agency to
receive a poor mark in what has become an annual report card on federal
computer security.
Overall, the government received a D+.
Five of the 24 agencies, including the Department of Commerce and the
Treasury Department, received D grades. Eight of them, including the
Department of Justice, the Department of Defense and the State Department
all failed. The Department of Health and Human Services, which would
manage the country’s response to the bird flu if it came within U.S.
borders, also received an F.
On the other side of the grading curve, seven agencies, including the
Department of Labor, the Social Security Administration and the
Environmental Protection Agency, received A grades.
”This year, the federal government, as a whole, hardly improved,
receiving a D+ yet again,” Rep. Tom Davis (R-Va.), chairman of the House
Government Reform Committee, told a hearing on Capitol Hill yesterday.
”Our analysis reveals that the scores for the Departments of Defense,
Homeland Security, Justice, State — the agencies on the front line in
the war on terror — remain unacceptably low or dropped precipitously.”
The results are from the fourth-annual network security review of
government agencies under the Federal Information Security Management Act
(FISMA).
This year, 10 agencies showed improvement with the National Aeronautics
and Space Administration, for instance, raising its score from a D- in
2004 to a B- in 2005.
Eight agencies received a worse grade this time around. The Department of
Justice went from a B- in 2004 to a D in 2005, and the Nuclear Regulatory
Commission dropped from a B+ to a D-.
Five agencies, including DHS, the Department of Veterans Affairs and the
Department of Energy, maintained a failing grade year over year.
Davis said the committee is concerned about several specific areas of
network security: specialized training for workers with significant
security responsibilities, inconsistent incident reporting,
implementation of configuration management policies, annual testing of
security controls and agency responsibility for contractor systems.
Gregory C. Wilshusen, director of Information Security Issues at the U.S.
Government Accountability Office, told those at the hearing that
information security has long been identified as a government-wide,
high-risk issue.
”For many years, we have reported that poor information security is a
widespread problem that has potentially devastating consequences,” he
said. ”The degree of risk caused by security weaknesses is high. The
weaknesses we identified place a broad array of federal operations and
assets at risk.”
Wilshusen pointed to problems with many agencies’ contingency plans.
”Agencies reported that only 61 percent of their systems had tested
contingency plans, thereby reducing assurance that agencies will be able
to recover from the disruption of those systems with untested plans,” he
said. ”Although this number continues to show small increases each year
since 2003… five agencies reported less than 50 percent of their
systems had tested contingency plans.”
Another report released Thursday by INPUT, a Reston, Va.-based analyst
firm and consultancy focused on government business, also gave the
government dismal computer security marks.
The report called FISMA ”largely ineffective”.
”FISMA has become a largely paperwork drill among the departments and
agencies, consuming an inordinate amount of resources for reporting
progress, while putting in place very little in the way of actual
security improvements,” Bruce Brody, vice president of information
security at INPUT, said in a written statement.
Scott Charbo, chief information officer of the Department of Homeland
Security, was upbeat in his statement in front of the hearing, despite
his agency’s results on this year’s score card.
”The department’s [information security] program has come a long way in
just three short years,” he said, adding that the agency’s work has
”paved the way for real and measurable cyber security improvements in
the near future… I am confident that the DHS Information Security
Program is moving in the right direction.”
Chairman Davis, though, voiced his concerns in his opening statement.
”If FISMA was the No Child Left Behind Act, a lot of critical agencies
would be on the list of ‘low performers’,” he said. ”None of us would
accept D+ grades on our children’s report cards. We can’t accept these
either.”