When a 'D' in cybersecurity is seen as an improvement |
 |
By Anne Saita, Staff Writer
12 Dec 2003 | Security Wire Perspectives |
|
|
This week's annual report card on federal agencies' cybersecurity
programs, in which the government "improved" to an overall D grade,
was the first time agency audits were based essentially on the same
criteria as the previous year's. That should have quelled criticism
that year-to-year comparisons -- and perhaps a few flunking scores --
were unfair.
But, of course, we're talking about the government. Gripes are a
given.
Leaders like U.S. Rep. Adam Putnam (R-Fla.), whose House subcommittee
published the results Tuesday, still questioned the validity of the
grades after learning only five of the 24 agencies did full
inventories of their critical IT systems -- a requirement of the
Federal Information Security Management Act that prompted the annual
security reviews four years ago. "We can't trust these numbers if we
don't have accurate inventories," Putman told Washington Technology
magazine.
But Putman and other politicians still agreed that despite the
inconsistencies, the abysmal scores indicate most U.S. agencies don't
have their act together when it comes to internal security policies.
"We are just not doing enough to achieve the results that we must
achieve," said Bob Dix, staff director for the subcommittee on
technology, in another published report.
Fourteen agencies failed this time around with either a D or F. Among
the poorest performers were the departments of State, Agriculture,
Energy, Justice, Interior, Housing and Urban Development, and Health
and Human Services.
Somewhat surprising was the F rating for the new Department of
Homeland Security, whose mission includes promoting cybersecurity
nationwide. That score, the first for DHS, may be influenced by the
agency's nascence and ongoing reorganization.
Still, others question how the agency charged with promoting
cybersecurity can have so many internal problems, despite its
"startup" status. One theory repeatedly popping up in online forums
questions the dedication of the federal IT workforce, which typically
makes less in wages but enjoys better job security than the private
sector. Others, however, say that's bunk and the widespread problem
has more to do with agency leaderships' lack of commitment to the
cause.
There were kudos to hand out -- and bring up the overall average
grade -- as well. The Nuclear Regulatory Commission and National
Science Foundation both scored the first A's in the
scorecards' history. The Social Security Administration turned in a
commendable B+, while the Department of Labor earned a B.
Common factors among the highest performers include strong incident
and reporting procedures, tight controls over government contractors
and sound action plans when security problems are discovered.
|
|
|
|
