Fed Security Systems
Again Receive Failing Grade

Only three government agencies received passing marks on their annual report card—Justice, State and Defense Departments all failed to pass the test.

by Roy Mark of internetnews.com [November 21, 2002]

Only three government agencies received passing grades in Rep. Steven Horn's (R-CA) annual report card on federal computer systems security. The government's overall score for its security systems was 55, a slight improvement over last year's 53.

Horn made the grades public this week at a hearing of the House Subcommittee on Government Efficiency, Financial Management and Intergovernmental Relations. Based on studies conducted by the General Accounting Office (GAO), the Office of Management and Budget (OMB), and agencies' CIOs and inspectors general, Horn's scores are based on weighted averages of each agency's performance in five major areas.

The three agencies posting passing scores were the Social Security Administration: (B-), the Labor Department (C+) and the Nuclear Regulatory Agency (C). The other 21 agencies on Horn's report card, including the Departments of Defense, Justice and NASA, received grades of D+ or lower. Fourteen agencies received an F.

The Department of Transportation (DOT), which, among other critical systems, controls the nation's air transportation system, finished last among the agencies for systems security with a total score of 28 out of a possible 100 points.

The GAO also presented a reported to the subcommittee that was highly critical of federal systems.

"Since September 1996, we have reported that poor information security is a widespread federal problem with potentially devastating consequences," the report stated. "Although agencies have taken steps to redesign and strengthen their information security system programs, our analysis of information security at major federal agencies have shown that federal systems were not being adequately protected from computer-based threats."

The GAO report was based on an analysis of six areas of security control: (1.) security program management; (2.) access controls; (3.) software development and change controls; (4.) segregation of duties; (5.) operating systems controls; and (6.) service continuity.

In its review from October 2001 to October 2001 of this year, the GAO concluded that federal systems "continue to show significant weaknesses that put critical operations and assets at risk."

Mark Forman, the OMB's associate director for IT and e-government, told the committee an agency's CIO is the key to implementing strong security.

"Where we have seen progress, there has been clear action taken to empower the CIO. Transportation is one where there is a less-than-powerful CIO," Forman said.

DOT's inspector general, Kenneth Meade said his agency currently does not have a CIO and, in fact, has had a permanent CIO for only 18 months since Congress mandated all agencies have a CIO in 1996.

Agencies receiving below average scores included Commerce (D+), NASA (D+), Education (D), Environmental Protection (D-), Health and Human Services (D-)and the National Science Foundation (D-).

Agencies flunking the test were International Development, Agriculture, Defense, Energy, FEMA, HUD, Interior, Justice, Office of Personnel Management, SBA, State, Transportation, Treasury and VA.

In related news ...
The U.S. Senate Tuesday night passed the House version of the Homeland Security bill creating a cabinet-level Department of Homeland Security combining 22 federal agencies with an estimated budget of $37.4 billion, including $2.12 billion for IT. The measure represents almost a year of often intense legislative debate and calls for the most sweeping reorganization of the executive branch in the last half century.

President George W. Bush, who has called the passage of the legislation "the single most important business" before the lame duck Congress, is expected to sign the bill into law in a matter of days.

The major agencies giving up their independent status and joining the Department of Homeland Defense include the Secret Service, the Coast Guard, the Customs Service, the Federal Emergency Management Agency and the Immigration and Nationalization Service.

The bill includes allowing the new Secretary of Homeland Defense to designate a lead research organization to help coordinate security research across the government, the academic community and the private sector.

Another new provision, adopted from an earlier Senate version, establishes and funds a Homeland Security Advanced Research Projects Agency, similar to DoD's DARPA, to help identify promising technologies.

The legislation also adds two new provisions that "encourage partnerships between government and the private sector to better protect civilian infrastructures such as telecommunications, transportation nodes and power grids."

In addition, it establishes procedures to encourage private industry to share infrastructure vulnerabilities with the government to help identify and correct weaknesses and calls for a so-called NET Guard, volunteer teams to help local communities respond and recover from attacks on information systems and communications networks.

The combined 2002 IT budgets for the agencies being incorporated into the new department is $1.47 billion. That number is expected to jump to $2.12 billion in 2003. Overall, the Government Electronics and Information Technology Association (GEIA) is predicting total federal IT spending will be approximately $53 billion. According to GEIA federal IT spending will reach approximately $67 billion by 2008.

— End