Saturday, February 19, 2005

2004 US Government Security Report Card

This is the US House Committee on Government Reform 2004 report card for US Federal government security. I wrote about the report for CY 2003 at the end of 2003. The big news for this year's report card are the huge swings made by some agencies. Justice and Interior improved from F's to B- and C+, respectively, while State marginally moved out of the failing category by progressing from F to D+. Others regressed, some substantially; the NSF dropped from an A- to C+, Commerce from C- to F, and the VA from C to F. Overall, 7 out of 24 agencies received F's, balanced by 7 with B's or better.

The "Report Grading Elements" (.pdf) used the following major categories to grade agencies:

1. The percentage of the agency's programs and systems reviewed, including contractor operations or facilities in FY04 by CIOs and IGs.
2. The degree to which agency program officials and the agency CIO have used appropriate methods to ensure that contractor provided services or services provided by another agency are adequately secure and meet policy requirements.
3. The degree to which the agency used the NIST self-assessment guide or equivalent methodology to conduct its reviews.
4. The agency developed (Plan of Action and Milestones) POA&Ms for each significant deficiency identified in FY04.
5. The agency developed, implemented, and managing an agency-wide plan of action and milestone process.
6. Certification and accreditation topics.
7. The CIO implemented agencywide policies that require detailed specific security configurations and what is the degree by which the configurations are implemented.
8. Incident detection, response, and reporting topics.
9. The CIO has ensured security training and awareness of all employees, including contractors and those with significant IT Security responsibilities.
10. The progress the agency has made to develop an inventory of major IT systems.

How were grades asigned? The Grading Methodology (.pdf) says:

"The Committee's computer security grades are based on information contained in the Federal Information Security Management Act (FISMA) reports from agencies and Inspectors General (IG) for fiscal year 2004. On December 17, 2002, the President signed into law the Electronic Government Act. Title III of that Act is the FISMA. FISMA lays out the framework for annual IT security reviews, reporting and remediation planning at federal agencies. FISMA requires that agency heads and IGs evaluate their agencies computer security programs and report the results of those evaluations to the OMB in September of each year along with their budget submissions. FISMA also requires that agency heads report the results of those evaluations annually to the Congress and the Government Accountability Office."

Notice that these grades do not reflect the effectiveness of any of these security measurements. An agency could be completely 0wn3d (compromised in manager-speak) and it could still receive high scores. I imagine it is difficult to grade effectiveness until a common set of security metrics is developed, including ways to count and assess incidents.

Here are the grades from previous years, courtesy of Homeland Security IntelWatch:

1 comment:

Anonymous said...

Some of those grade changes may be a bit misleading, although I have to admit I am not intimate with their methods. However, for a department such as the Interior, it is no surprise they are up a bit. Because of past failures, I believe they are still, as a department, not allowed onto the Internet except through frame-relay connections to the resources they absolutely need...otherwise they were put on probation.

You bet that eliminates a good chunk of risk, so might influence the score a bit.

Still interesting though.

I can say from dealings with NRC and the DOT, I am not surprised by those higher grades...they seem to be pretty concious of security. However, it is almost disturbing to see such poor grades by the DOD and DHS.