The Department of Homeland Security led a list of seven agencies that received flunking grades for their cyber-security efforts in 2004, with the federal government at large earning an overall grade of "D-plus" from a key congressional oversight committee.
For the fifth straight year, at least half of all federal agencies received a grade of "D" or worse on the House Government Reform Committee's annual cyber-security report card. Agencies that received failing marks include the departments of Agriculture, Commerce, Energy, Health and Human Services, Housing and Urban Development, and Veterans Affairs. A grade of "D" was awarded to the departments of Defense and Treasury, as well as the National Aeronautics and Space Administration and the Small Business Administration.
The congressional panel based the grades on internal agency assessments and information that agencies are required to submit annually to the White House Office of Management and Budget. Grades depended on how well agencies met the requirements set out in the Federal Information Security Management Act (FISMA). The law requires agencies to meet a wide variety of computer security standards, ranging from operational details -- such as ensuring proper password management by workers and restricting employee access to sensitive networks and documents -- to creating procedures for reporting security problems.
This year's overall grade of "D-plus" was up slightly from last year's "D" and the "F" grade Uncle Sam earned on the report card in 2002.
Committee Chairman Tom Davis (R-Va.) said he was encouraged by the fact that 10 agencies improved their scores over 2003, increasing the overall governmentwide grade by 2.5 points this year. But he chided agencies for not moving fast enough.
"I hope it won't take some kind of major cyber-attack to wake everybody up," Davis said.
Eight agencies earned lower grades for 2004. The departments of Commerce and Veterans Affairs saw their marks drop from a "C" two years ago to an "F" in 2004.
One explanation for the lower grades, according to Dennis Heretick, the chief information security officer for the Justice Department, is that agencies were required to meet new standards last year that were not evaluated in past report cards, such as determining how frequently agencies applied software patches to fix known computer security flaws.
Several agencies made significant gains in 2004. The Department of Justice, for example, increased its score from an "F" in 2003 to a "B-minus" last year. The U.S. Agency for International Development earned an "A-plus" - up from a "C-minus" in 2003 -- though the agency was among three this year that failed to submit its internal assessment for an independent evaluation.
The Department of Transportation elevated its grade from a "D-plus" in 2003 to an "A-minus" last year, an increase that department chief information officer Dan Matthews attributed to high-level attention to computer security issues.