This week's annual report card on federal agencies' cybersecurity programs, in which the government "improved" to an overall D grade, was the first time agency audits were based essentially on the same criteria as the previous year's. That should have quelled criticism that year-to-year comparisons -- and perhaps a few flunking scores -- were unfair.
But, of course, we're talking about the government. Gripes are a given.
Leaders like U.S. Rep. Adam Putnam (R-Fla.), whose House subcommittee published the results Tuesday, still questioned the validity of the grades after learning only five of the 24 agencies did full inventories of their critical IT systems -- a requirement of the Federal Information Security Management Act that prompted the annual security reviews four years ago. "We can't trust these numbers if we don't have accurate inventories," Putman told Washington Technology magazine.
But Putman and other politicians still agreed that despite the inconsistencies, the abysmal scores indicate most U.S. agencies don't have their act together when it comes to internal security policies. "We are just not doing enough to achieve the results that we must achieve," said Bob Dix, staff director for the subcommittee on technology, in another published report.
Fourteen agencies failed this time around with either a D or F. Among the poorest performers were the departments of State, Agriculture, Energy, Justice, Interior, Housing and Urban Development, and Health and Human Services.
Somewhat surprising was the F rating for the new Department of Homeland Security, whose mission includes promoting cybersecurity nationwide. That score, the first for DHS, may be influenced by the agency's nascence and ongoing reorganization.
Still, others question how the agency charged with promoting cybersecurity can have so many internal problems, despite its "startup" status. One theory repeatedly popping up in online forums questions the dedication of the federal IT workforce, which typically makes less in wages but enjoys better job security than the private sector. Others, however, say that's bunk and the widespread problem has more to do with agency leaderships' lack of commitment to the cause.
There were kudos to hand out -- and bring up the overall average grade -- as well. The Nuclear Regulatory Commission and National Science Foundation both scored the first A's in the scorecards' history. The Social Security Administration turned in a commendable B+, while the Department of Labor earned a B.
Common factors among the highest performers include strong incident and reporting procedures, tight controls over government contractors and sound action plans when security problems are discovered.