Cybersecurity officials turn tables on congressional graders
Chief information security officers give overseers only average grade for their report card on computer security efforts.
Federal computer security executives, who have been given an overall grade of D+ from a congressional committee for their efforts to secure information technology systems, have returned the favor with tough grades of their own for the rating process.
Each year, the House Government Reform Committee issues grades on agencies' compliance with the 2002 Federal Information Security Management Act. The grades are based on information reported by each agency and federal inspectors general to Congress and the Office of Management and Budget.
The 2004 grades found some improvement from 2003, but seven agencies, including the departments of Homeland Security and Energy, received Fs.
A survey of a quarter of agencies' chief information security officers conducted by Telos Corp. found that 36 percent gave the congressional grading process a C, and that a large majority do not believe there is any relationship between the cybersecurity report card and security funding. Another 23 percent of CISOs gave the report card a B. Fourteen percent of cybersecurity chiefs gave the report card either an A or F.
Sixty percent of CISOs said they found the report card process helpful in providing insight into their department's information technology security. But they also said that clarifying FISMA guidelines would go a long way in improving the value of the process.
Karen Evans, OMB's administrator for electronic government, said the agency is drafting updated FISMA guidance for fiscal 2005 and agency chief information officers will be able to comment prior to its publication.
Drew Crockett, a spokesman for House Government Reform Committee Chairman Tom Davis, R-Va., said in a statement that the committee was pleased to get the perspectives of the CISOs.
"Ultimately, we want to ensure that FISMA compliance does not become a paperwork exercise where agencies comply with the letter, but not the spirit, of the law," Crockett said. "We don't want them filling out forms to simply fill out forms."