Feds get C-minus on security

The federal government was given an overall grade of C-minus for information security improvements from 2005 to 2006, according to a report released today by Rep. Tom Davis (R-Va.), who heads the House Government Oversight and Reform Committee. Here’s a link to the FISMA ‘06 report card.

The C-minus grade is an improvement over previous years. Davis had given the government a grade of D-plus, D-plus and D the last three years. “Obviously, challenges remain. But there are some excellent signs of progress in this year’s report, and that’s encouraging,” Davis said in a statement.

Security experts don’t put any major credence in the grades other than the fact that they highlight the need for better security programs within federal agencies. Other groups also rate the federal government on security. In January, The Cyber Security Industry Alliance, a lobbying group of security vendors, gave the feds a D grade.

The grades are derived from annual reports agencies produce to comply with the Federal Information Security Management Act (FISMA). The act requires agencies to report on their information security projects. Agencies are rated on their plans of action and milestones or corrective action plans, whether they certify and accredit their systems as secure, how well they manage the configuration of their computers to ensure security, how they detect and react to breaches of security, their training programs and the accuracy of their inventories.

NASA and the Department of Education received the worst grades. NASA fell from B-minus to D-minus, and the Department of Education, fell from C-minus to F. Other departments that received an F-grade were the Department of Defense, Department of Commerce, and the Department of the Interior.

The Department of Veterans Affairs, which has come under increased scrutiny in recent years, was left out of the report, because it did not provide its 2006 FISMA report.

The Department of Homeland Security received a D this year, the first time since ratings began in 2003 that it did not receive an F. Davis said DHS finally established an inventory of its secure computer systems – a critical first step to information security.

The Department of Justice and the Department of Housing and Urban Development showed the most improvement from 2005 to 2006. Justice jumped from a D to an A-minus, and HUD climbed from D-plus to A-plus. HUD had, for the first time, developed a full inventory of its information security apparatus, a major plus in the grading, Davis said.