This years top performer was the Social Security Administration, which climbed from a C+ to a B-. In the cellar this year is the Transportation Department, which scored what Horn called an appalling 28 points out of a possible 100.
The California Republican issued the grades during a hearing of his House Subcommittee on Government Efficiency, Financial Management and Intergovernmental Relations. The scores are based on weighted evaluations of each agencys performance in five major areas. The information is drawn from studies by the General Accounting Office, the Office of Management and Budget, and agencies CIOs and inspectors general.
Key to implementing adequate information security is an agencys CIO, several witnesses said at todays hearing.
Where we have seen progress, there has been clear action taken to empower the CIO, said Mark Forman, OMB associate director for IT and e-government. Transportation is one where there is a less-than-powerful CIO.
In fact, said Transportation IG Kenneth M. Mead, Transportation does not have a CIO. The department has had a permanent CIO for only 18 months since the office was mandated in 1996, Mead said.
Social Security officials attributed the agencys success to a culture of security, which has been implemented from the top down. From its inception, SSA has been concerned about the privacy of the information it maintains, said SSA deputy commissioner and chief operating officer James B. Lockhart III. That has infused our culture from Day 1.
Forman identified three continuing weakness that make federal systems vulnerable:
- A lack of system-level security plans and certifications
- A lack of agreement on the part of many IGs and CIOs as to what their agencies weaknesses are
- A lack of prioritization in IT investments.
Under GISRA, OMB requires agencies to include IT security in their annual budget proposals or risk losing funding.
There were a number of proposals last year we put on the high-risk list because of IT security problems identified in GISRA reports, Forman said.
OMB also issues an annual report to Congress on the state of IT security. The next report is due in February. Forman said there would likely be some discrepancies between his report and the report card. For instance, he said his staff had found that the Justice Department, which received a failing score of 56 on the report card, had made more progress than the report card indicated.
The grades, ranked in order of best to worst:
- Social Security Administration: B-
- Labor Department: C+
- Nuclear Regulatory Commission: C
- Commerce Department: D+
- NASA: D+
- Education Department: D
- General Services Administration: D
- Environmental Protection Agency: D-
- Health and Human Services: D-
- National Science Foundation: D-
- Agency for International Development: F
- Agriculture Department: F
- Defense Department: F
- Energy Department: F
- Federal Emergency Management Agency: F
- Housing and Urban Development Department: F
- Interior Department: F
- Justice Department: F
- Office of Personnel Management: F
- Small Business Administration: F
- State Department: F
- Transportation Department: F
- Treasury Department: F
- Veterans Affairs Department: F