[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[ISN] U.S. Government Fails to Make Security Grade
By Caron Carlson
December 3, 2002
For the second year running, the federal government has flunked
Computer Security 101.
The 24 major agencies of the U.S. government performed so poorly this
year that lawmakers charged with overseeing government efficiency want
to tie agencies' funding to network security procedures and force them
to buy software only from a list of "qualified" products.
Despite the redoubled attention to security since the terrorist
attacks of Sept. 11, 2001, 14 of 24 federal agencies flat out flunked
their efforts to improve network safety, according to the Computer
Security Report Card released last month by the House Subcommittee on
Government Efficiency, Financial Management and Intergovernmental
Relations. This fall, the subcommittee concluded that every major
agency in the federal government houses significant network security
Perhaps most worrisome, some agencies--including some that conduct
highly confidential activity--fared even worse than they did a year
ago. The National Aeronautic & Space Administration's score fell to a
D-plus from a C-minus, and the Department of State's score fell to an
F from a D-plus.
The scores are based on numerous criteria, including employee
training, access controls, incident reporting procedures, system
software, mechanisms to ensure the security of contractor services,
and the use of performance measures, among other things. The data
comes from reports that the agencies send to the Office of Management
and Budget and audits conducted by inspectors general and the General
Demonstrating the paradox of trying to promote improved security via
public disclosure, the subcommittee declined to release detailed
evaluations of each agency.
"With computer security, it is not necessarily in the best interest of
everybody to identify specific problems," an aide on the subcommittee
said. "The agencies know, and they are the people who need to get
going on this."
The Social Security Administration made the highest grade this year,
rising to a B-minus from last year's C-plus. "[T]he Social Security
Administration continues to be a shining example of sound leadership
and focused attention toward solving this important problem,"
subcommittee chairman Stephen Horn, R-Calif., said upon disclosing the
The Nuclear Regulatory Commission earned the third highest grade this
year with a "C," which does not appear remarkable until viewed in
comparison with last year's failing grade.
In addition to tying funding to computer security, the government
should set minimum security standards for commercial off-the-shelf
software purchased by federal agencies, the subcommittee recommended
in a report titled "Making Federal Computers Secure: Overseeing
Effective Information Security Management."
The panel suggested that agencies be given a list of qualified
software products, based on tests by developers or by an independent
government agency, such as NIST or the National Security Agency.
"The current practice of releasing software without adequate security
testing and then developing patches to fix vulnerabilities creates an
untenable burden on Government systems administrators," the
subcommittee complained in the report.
Lawmakers noted that the White House's Office of Management and Budget
began using funding to try to improve computer security last year.
OMB, which is requiring agencies to identify weaknesses and submit
plans for addressing them, plans to end funding IT projects that don't
include security requirements.
In the past year, there have been significant attacks on federal
computers at the White House, the Pentagon and the Department of
Treasury, among others. Lawmakers advised that senior managers pay
more attention to network security and promote better education within
the ranks. They also suggested that all departments implement
performance measures and integrate security into their budget
The subcommittee was chaired by Horn, who is retiring at the end of
this session, so it remains unknown whether there will be a Computer
Security Report Card compiled in 2003.
ISN is currently hosted by Attrition.org
To unsubscribe email majordomo@xxxxxxxxxxxxx with 'unsubscribe isn'
in the BODY of the mail.