Rep. Adam Putnam (R-Fla.), chairman of a House Subcommittee on Government Reform, on Tuesday called for a change in corporate culture among enterprise decision makers to address shortcomings in network security. Putnam's remarks came after the Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census doled out failing grades for computer network security to several federal agencies.
Notably, the Department of Homeland Security, the State Department, and the departments of the Interior and Justice were given Fs, while the Department of Defense, the Department of the Treasury, NASA and others received Ds. The overall government grade was a D.
The grades were assigned based on information reported to the Office of Management and Budget in accordance with the Federal Information Security Management Act (FISMA). FISMA, which was used for the first time this year, is the framework used for the annual security reviews. It evaluates an agency's risk assessments, security policies and procedures, employee testing, incident reporting and more. FISMA requires that agencies annually test the effectiveness of security policies and procedures, and it allows each to develop individual configuration requirements to comply with the act.
"The choice before us is a clear one: Inaction resulting in eventual economic devastation and potentially catastrophic loss of life, or preemptive action to protect our nation," Putnam said. "I, for one, vote for action. And today as I stand before you, I recommit the resources of my subcommittee to doing everything we can to ensure we adequately protect our nation against cyberattack."
One silver lining is that many grades were up from the 2002 evaluation, an indication of some progress, said Rich Caliari of Harris Corp's STAT network security unit.
"People tend to be impatient with the government when it comes to security, but this has to be a multi-year effort because many agencies are dealing with legacy systems," Caliari said. "If agencies are doing three-, four- or five-year hardware refreshes, many are going to let these systems sit the way they are. If you've got a Windows 95 workstation, it's about as secure as you can make it right now."
The Nuclear Regulatory Commission made the biggest leap, grade-wise. The commission received an F in 2001 but was rewarded with an A this year. Others, like the departments of Labor, Commerce, Education and Veterans Affairs, have climbed from Fs to Cs in the last two years. The National Science Foundation also earned an A.
"Business can take away that they should not set unrealistic expectations," Caliari said. "They are not going to solve the security problem in two months."
Another tenet of FISMA is that it requires the National Institute of Standards and Technology (NIST) to develop boilerplate documents and procedures that agencies can use as standards.
"That data has been published and it's available to business. It's a great resource," Caliari said.