Fed Security Systems Receive Failing Grades
Only three government agencies receive passing marks on annual report card; Justice, State and Defense Departments all flunk.
Only three government agencies received passing grades in Rep. Steven Horn's (R.-Calif.) annual report card on federal computer systems security. The government's overall score for its security systems was 55, a slight improvement over last year's 53.
Horn made the grades public Tuesday at a hearing of the House Subcommittee on Government Efficiency, Financial Management and Intergovernmental Relations. Based on studies conducted by the General Accounting Office (GAO), the Office of Management and Budget (OMB), and agencies CIOs and inspectors general, Horn's scores are based on weighted averages of each agency's performance in five major areas.
The three agencies posting passing scores were the Social Security Administration: (B-), the Labor Department (C+) and the Nuclear Regulatory Agency (C). The other 21 agencies on Horn's report card, including the Departments of Defense, Justice and NASA, received grades of D+ or lower. Fourteen agencies received an F.
The Department of Transportation (DOT), which, among other critical systems, controls the nation's air transportation system, finished last among the agencies for systems security with a total score of 28 out of a possible 100 points.
The GAO also presented a reported to the subcommittee that was highly critical of federal systems.
"Since September 1996, we have reported that poor information security is a widespread federal problem with potentially devastating consequences," the report stated. "Although agencies have taken steps to redesign and strengthen their information security system programs, our analysis of information security at major federal agencies have shown that federal systems were not being adequately protected from computer-based threats."
The GAO report was based on an analysis of six areas of security control: (1.) security program management; (2.) access controls; (3.) software development and change controls; (4.) segregation of duties; (5.) operating systems controls; and (6.) service continuity.
In its review from October 2001 to October 2001 of this year, the GAO concluded that federal systems "continue to show significant weaknesses that put critical operations and assets at risk."
Mark Forman, the OMB's associate director for IT and e-government, told the committee an agency's CIO is the key to implementing strong security.
"Where we have seen progress, there has been clear action taken to empower the CIO. Transportation is one where there is a less-than-powerful CIO," Forman said.
DOT's inspector general, Kenneth Meade said his agency currently does not have a CIO and, in fact, has had a permanent CIO for only 18 months since Congress mandated all agencies have a CIO in 1996.
Agencies receiving D's included Commerce (D+), NASA (D+), Education (D), Environmental Protection (D-), Health and Human Services (D-)and the National Science Foundation (D-).
Agencies flunking the test were International Development, Agriculture, Defense, Energy, FEMA, HUD, Interior, Justice, Office of Personnel Management, SBA, State, Transportation, Treasury and VA.