House Questions Federal IT Security
Putnam says patience running out for agencies attempting to make their systems more secure.
Members of a House panel expressed frustration Tuesday over the progress of federal agencies in securing their IT systems. Agency heads and other officials responded by saying progress was being made but significant problems remain.
The purpose of the hearing held by the Government Reform Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census was to explore the actions agencies are undertaking to make their systems secure.
In addition, the committee pressed officials about their compliance with the Federal Information Security Management Act (FISMA) and the results of the recently released May 2003 Government Information Security Reform Act (GISRA) report by the Office of Management and Budget (OMB).
Recent audits of 24 of the largest federal agencies identified continuing significant information security weaknesses with federal systems. The General Accounting Office (GAO), along with the OMB, continue to uncover many "serious" security weaknesses, "which put critical federal operations and assets at risk."
The House panel specifically cited the Department of State, which did not report information for the FY 2001 GISRA report. It did, however, report three material weaknesses for information security for 2002. These areas included assessing vulnerability of systems, conducting security control evaluations at least once every three years, and testing security controls.
State reported, in the 2002 GISRA report, that none of its systems have been certified and authorized, and only 15 percent have an up-to-date IT security plan. State reported that only 11 percent of its systems have contingency plans, and of those, none had ever been tested.
State Department CIO Bruce Morrison told the committee his agency was still in the early stages of developing a comprehensive cybersecurity plan but Secretary of State Colin Powell has made it a high priority.
The Department of Agriculture stated in its 2002 GISRTA report that less then 26 percent of its systems were in compliance with the eight metrics that OMB reported. The agency had 70 material weaknesses in the area of information security.
In addition, according to the Inspector General (IG), Agriculture is not conducting risk assessments of its systems in compliance with either OMB or GISRA requirements. The agency reported an increase in systems operating without written authority, and an increase in systems that do not have up-to-date IT security plans.
Agriculture Department CIO Scott Chabro blamed time and money on the inaccurate reports.
Although the Department of Treasury reported that in its 2002 GISRA report that 41 percent of its systems were assessed for risk, its IG reported that Treasury did not use an adequate methodology to determine risk. There were are also significant discrepancies in many of the metrics reported in the GISRA report between the Department and its IG.
For example, the Treasury reported that 451 of its systems were reviewed. However, the IG reports that only 204 systems were reviewed. Treasury has also reported 11 material weaknesses related to information security.
Mark A. Forman, OMB's administrator for e-government and IT, said Congress had provided the agencies with enough resources for adequate cybersecurity but noted, "there is a lot of work and it takes time." He asked the committee for patience.
Committee Chairman Adam Putnam (R.-Fla.) said patience was running out, adding, "There is very little indication that anyone takes the threat seriously."