By Brian Krebs
washingtonpost.com Staff Writer
Thursday, April 12, 2007 12:00 PM
The federal government earned an overall grade of "C-minus" last year for securing its computer systems and networks from hackers, viruses and insider threats, a slight improvement from its performance in 2005.
According to data to be released by a House committee today, the Department of Defense led a group of eight agencies that received failing marks for computer security. Also receiving that dubious distinction were the departments of Agriculture, Commerce, Education, Interior, State and Treasury, as well as the Nuclear Regulatory Commission. The Department of Homeland Security earned a D, although its overall performance improved since 2005. The Department of Veterans Affairs did not provide enough data to earn a grade. In 2005, it received an F.
While the government-wide grade improved from a D-plus in 2005, nine agencies earned lower scores than they did the previous year, with some falling behind considerably. The National Aeronautics and Space Administration was awarded a grade of B-minus in 2005 and dropped to a D-minus in 2006. The Department of Education was assigned a failing grade for 2006, after earning a C-minus the prior year.
Eight agencies earned grades ranging from A-minus to A-plus, with some showing strong improvement. The groups leading this year's report card were the Agency for International Development, Environmental Protection Agency, General Services Administration, the departments of Justice and Housing and Urban Development, the National Science Foundation, the Office of Personnel Management, and the Social Security Administration.
The grades were based on the agencies' internal assessments and information they are required to submit annually to the White House Office of Management and Budget. The letter grades depended on how well agencies met the requirements detailed in the Federal Information Security Management Act.
The 2003 law, known as FISMA, requires agencies to meet a wide variety of computer security standards, ranging from operational details -- such as ensuring proper password management by workers and restricting employee access to sensitive networks and documents -- to creating procedures for reporting security problems.
The scores will be handed out today by Rep. Tom Davis (R-Va.), the ranking member of the House Oversight and Government Reform Committee and author of the FISMA law.
Critics of the process have called the annual FISMA reports more of a paperwork exercise than an accurate representation of the security of federal agencies' computers and networks. They say the reports do not require or give agencies credit for taking certain types of security precautions, such as penetration tests to locate gaps in security defenses.
Davis Staff Director David Marin said the congressman plans to address those criticisms by awarding extra credit points in next year's grades to any agencies that beat a White House deadline for meeting new federal computer security standards. An administration memo issued last month requires agencies to ensure that any existing or newly purchased personal computers that use Microsoft Windows XP or Vista software platforms include certain default settings designed to decrease time and money spent securing those personal computers and in repairing systems that have been compromised by hackers or viruses.
Alan Paller, director of research for the SANS Institute, a security training group based in Bethesda, Md., has been a vocal critic of how FISMA measures security at federal agencies. But Paller said Davis's incentive program could have "a profound effect" on the level of computer security at federal agencies.
"Shifting even half the money from report writing to actual security improvements could enable the government to lead by example in cyber security and provide the critical mass of incentive to integrators and system and software vendors to bake security into every product they sell," Paller said.