It's that time of year when the government releases cyber security scores for its major agencies.

And things aren't looking all that good. The question is what can IT professionals in the corporate sector learn from this. And the answer is... quite a bit.

The annual study of the cyber security level at 24 government agencies is done by the Committee on Government Reform under the Federal Information Systems Management Act (FISMA). This year's report identified which agencies have made great strides in the implementation of their computer security, and which of the agencies have failed in their attempts to secure their information systems.

This year's study, much like last's, didn't paint a pretty picture.

Overall, the government received a D+ grade.

Five of the 24 agencies, including the Department of Commerce and the Treasury Department, received D grades. Eight of them, including the Department of Justice, the Department of Defense and the State Department all failed. The Department of Health and Human Services also received an F.

On the other side of the grading curve, seven agencies, including the Department of Labor, the Social Security Administration and the Environmental Protection Agency, received A grades.

This year, 10 agencies showed improvement with the National Aeronautics and Space Administration, for instance, raising its score from a D- in 2004 to a B- in 2005.

Eight agencies received a worse grade this time around. The Department of Justice went from a B- in 2004 to a D in 2005, and the Nuclear Regulatory Commission dropped from a B+ to a D-.

Five agencies, including DHS, the Department of Veterans Affairs and the Department of Energy, maintained a failing grade year over year.

What Does This Mean for Us?

Does this really impact us as citizens?

Yes, it does. The information that FISMA was enacted to protect is ''our'' information. The Social Security Administration keeps track of our identifying numbers and our earning histories. The U.S. Department of Agriculture keeps information regarding the food we eat. The Department of Homeland Security keeps information key to safeguarding us. The Department of Health and Human Services would manage the country's response to the bird flu if it came within U.S. borders.

With these agencies in control of all of this information that is so important to our daily lives, we should stay abreast of the FISMA reports. But all of this may lead to another question... What is FISMA all about?

FISMA requires each agency to develop, document, and implement a program to provide security for the information and systems that support the operations and assets of each agency. FISMA provides for a risk-based approach to information security management.

To meet FISMA requirements, an information security program should have the following key elements:

  • The security program should complete periodic assessments of the risk and the amount of harm that can result from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information or the information system that houses the agency's information;
  • Policies and procedures must be risk-based, provide for a cost- effective way to reduce risks, and ensure that information security is addressed throughout the life cycle of the information system. Additionally, the policies and procedures should ensure compliance with application requirements;
  • The program should include plans for providing adequate information security to the information technology systems and networks;
  • Programs should provide for security training and awareness. All system users should be informed of the security risks, as well as what their responsibilities are in terms of complying with the agency's policies and procedures;
  • A minimum of once a year, all IT systems and networks should undergo testing and evaluation of the effectiveness of their security features. This includes any policies and procedures that relate to security controls. Every major IT system's management, operational, and technical control should be tested and evaluated for effectiveness;
  • The test and evaluation of the security controls will often lead to discrepancies. Therefore, the security program should identify a process for planning, implementing, evaluating, and documenting remedial actions for those discrepancies;
    Each security program should include procedures for detecting, reporting, and responding to security incidents;
    The last key element to a successful security program is having documented plans and procedures to ensure continuity of operations. Any information system that supports the operation and assets of an agency must have a plan for survivability during a disaster.

    As our federal agencies work to improve their security programs this year, perhaps we should review our own security programs.

    The same elements that the government requires to protect information should be integrated into our corporate security programs. By ensuring that the above elements are part of our companies' security programs, we can rest assured that we are taking a risk-based approach to keeping our information protected.