By Brian Krebs
washingtonpost.com Staff Writer
Wednesday, March 15, 2006 5:00 PM
Most federal agencies that play key roles in the war on terror are doing a dismal job of protecting their computers and information networks from hackers and viruses, according to portions of a report to be released by a key congressional oversight committee Thursday.
The Department of Homeland Security, which is charged with setting the government's cyber security agenda, earned a grade of F for the third straight year from the House Government Reform Committee. Other agencies whose failing marks went unchanged from 2004 include the departments of Agriculture, Defense, Energy, State, Health and Human Services, and Veterans Affairs.
The House Government Reform Committee is expected to award the federal government an overall grade of D-plus for computer security in 2005, a score that remains virtually unchanged from 2004.
Several agencies saw a considerable drop in their scores. The Department of Justice went from a B-minus in 2004 to a D in 2005; Transportation fell from A-minus to C-minus; and Interior earned failing marks after getting a C-plus in 2004.
The scores are "unacceptably low," committee Chairman Tom Davis (R-Va.) said in a statement. "DHS must have its house in order and should become a security leader among agencies. What's holding them up?"
The annual report bases the grades on the agencies' internal assessments and information they are required to submit annually to the White House Office of Management and Budget. The letter grades depended on how well agencies met the requirements set out in the Federal Information Security Management Act (FISMA).
FISMA requires agencies to meet a wide variety of computer security standards, ranging from operational details -- such as ensuring proper password management by workers and restricting employee access to sensitive networks and documents -- to creating procedures for reporting security problems.
As online attacks against consumers and businesses have skyrocketed, so have assaults against government information systems. Alan Paller, director of research for the SANS Institute, a group in Bethesda, Md., that trains and certifies computer security professionals, said a number of federal computer systems have been badly penetrated by hackers and viruses over the past several years, in part because many agencies do not adequately monitor their systems or apply software security updates in a timely manner.
But Paller argues that the yearly FISMA grades force agencies to apply scarce funding and employee time toward the wrong priorities.
"It turns out that the vast bulk of the federal information security money is spent on documenting these systems, not on securing or testing them against attacks," Paller said. "Most [agencies] are spending so much on the paperwork exercises that they don't have a lot of money left over to fix the problems they've identified."
Davis said he is interested in examining ways to ensure that FISMA compliance does not become a paperwork exercise where agencies comply with the letter, but not the spirit, of the law.
"We don't want them filling out forms to simply fill out forms, but in my experience, when it comes to information security, it is still difficult to get people -- even members of Congress -- engaged in the issue," Davis said. "An attack could originate anywhere at any time, and FISMA is the best tool we have to ensure that agencies are proactively securing themselves."
While a number of agencies performed worse last year than in 2004, many showed marked improvement in meeting federal computer security requirements.
The National Science Foundation and the General Services Administration each saw their scores rise from a C-plus in 2004 to an A last year. The Environmental Protection Agency and the Department of Labor earned A-plus grades in 2005, up from B and B-minus respectively.