"One should never underestimate the power of [DOT Secretary Norman Mineta] telling the staff that he wants to make this happen," Matthews said. "I don't think there are a lot of agencies that do have the CIO talking to the secretary on a near daily basis."
Fifteen federal information security officers said establishing enforceable internal computer security policies was the key driver in improving their agencies' cyber-security grades, according to a phone survey conducted by Telos Corp., a government technology contractor. Thirty out of 117 federal chief information security officers were contacted for the survey, results of which were released today in conjunction with the cyber-security report cards.
Some computer security experts expressed concern that the annual report cards amount to little more than a bureaucratic exercise. For years, lawmakers in Congress have warned federal agency leaders that they would slash funding for technology projects that fail to meet basic computer security requirements. But despite such threats, agency funding has remained unaffected by high or low grades on the computer security report cards, according federal security officers contacted for the Telos survey.
"If there are no incentives for agencies to comply with FISMA requirements, what is the point?", said Richard P. Tracy, chief security officer for Telos.
Amit Yoran, a former high-ranking cyber-security official in the Bush administration, said the report cards sometimes don't completely measure all the steps agencies have taken to improve security.
"This is more an audit of agency paperwork than it is jacking into the networks and looking at the systems and actual performance of an agency's security technologies," Yoran said. "That said, it is clear that the government is not at a level it needs to be in protecting its own systems."
Rep. Davis said cutting technology budgets for agencies that fail to improve their cyber-security grade could prove counterproductive. But he said he plans to examine ways to amend the current law so that agencies that show marked improvements are rewarded for their progress.
"We'd like to make sure FISMA doesn't become a paperwork exercise where agencies comply with the letter of the law but not the spirit of it," he said.