A congressional committee last week released a report card giving the federal government an overall grade of D+ on computer security for the second year in a row -- a rating that prompted harsh words from some lawmakers but also sparked a debate over how useful the grading process is.
At a hearing on Thursday, members of the House Committee on Government Reform lectured IT executives from the Pentagon and the U.S. Department of Homeland Security about the failing cybersecurity scores that the two agencies received as part of the panel's annual evaluation. "I don't feel comfortable that my homeland is secure," said Rep. Diane Watson (D-Calif.).
"We have a very large and very diverse and dynamic organization deployed worldwide," Lentz said. "Things are changing all the time."
That can make it hard for the DHS and the DOD to comply with the Federal Information Security Management Act, according to Charbo and Lentz. The annual security report card issued by the House reform committee is based on FISMA, which was approved by Congress and signed into law in 2002.
Karen Evans, administrator of e-government and IT within the White House's Office of Management and Budget, agreed with Charbo and Lentz that large agencies can have a tougher time complying with FISMA than smaller ones.
Rep. William Lacy Clay (D-Mo.), another member of the reform committee, was unmoved. "It sounds as if you are defending the incompetency of DHS," he told Evans.
But Rep. Tom Davis (R-Va.), the committee's chairman, showed some sympathy for agencies such as the DHS and DOD. For example, he noted that the DHS brought together more than 20 federal agencies when it was formed in 2003. "This is a work in progress," he said of efforts by the DHS to bring all of its systems into compliance with FISMA's requirements. "This takes years."
Some analysts questioned the effectiveness of the entire FISMA process, saying that the assessments don't provide a true picture of the IT security capabilities at federal agencies and don't do much to promote improvements in the government's security mechanisms.
FISMA requires agencies to prepare IT inventories, test their systems for security vulnerabilities and develop remediation plans in case systems are affected by major attacks or outages. Reports prepared by agency CIOs and inspector generals are designed to gauge whether the departments meet FISMA's security standards.
But rather than focusing on FISMA, the government should adopt security scorecards that measure the real-world "readiness" of its computer systems, much like the military reports on the battle-readiness of its weapons systems, said Alan Paller, director of research at the SANS Institute in Bethesda, Md.
The security certification and accreditation reports required under FISMA "are 90% documentation," Paller said. "The consultants that write these reports have never secured a computer system. They wouldn't know a secure system if they met it on the street."
Input, a Reston, Va.-based market research firm that focuses on government IT issues, said in a report released last week that FISMA "can be assessed as largely ineffective" in improving the IT security posture of federal agencies.
"FISMA has become a largely paperwork drill among the departments and agencies, consuming an inordinate amount of resources for reporting progress while putting in place very little in the way of actual security improvements," Input analyst Bruce Brody said in a statement.
Brody added that FISMA's focus on individual systems and sites "does not recognize the importance of backbone infrastructure security improvements."
On the latest report card, eight of the 24 agencies that were evaluated received F grades for 2005. In addition to the DHS and the DOD, agencies getting Fs included the departments of State, Energy, the Interior, Agriculture, Veterans Affairs, and Health and Human Services. The DOD's grade declined from a D in 2004, while the Department of the Interior dropped down from a C+ and the State Department fell from a D+.
Other agencies that saw their 2005 grades drop from those given for the previous year included the Department of Transportation, which fell from an A- to a C-; the Department of Justice, which went from a B- to a D; and the Nuclear Regulatory Commission, which slipped from a B+ to a D-.
Seven agencies received grades of A- or better, with the Department of Labor, the Social Security Administration and the Environmental Protection Agency among the five that were given A+ grades.
Big gains were recorded by the Office of Personnel Management, which saw its grade improve from a C- to an A+, and by the National Science Foundation and the General Services Administration, which went from C+ grades to an A and an A-, respectively. In addition, NASA's grade rose from a D- for 2004 to a B- for last year.
Davis said that improving cybersecurity at the agencies still struggling to get better grades is "vital" to national security and the health of the U.S. economy. "None of us would accept D+ grades on our children's report cards," he noted. "We can't accept these, either."
Charbo said the IT security program at the DHS "has come a long way in just three short years." But he agreed with Davis that the DHS needs to do better. The sprawling agency's size and complexity "doesn't change the fact that ... we're nowhere near where we wanted to be," Charbo said.
Autor: Grant Gross and Robert McMillan
Quelle: Computerworld, 20.03.2006
