Congressional report rates cybersecurity as dismal
Eight agencies receive failing marks, but critics say the grading process doesn’t measure true security levels.
A majority of agencies received low marks from a congressional committee Thursday on their level of compliance with a federal computer system security act, but there's growing criticism that the law is ineffective.
The 24 agencies graded by the House Government Reform Committee for their compliance with the 2002 Federal Information Security Management Act fell largely in either the lowest or highest categories, with the government earning an overall grade of D+, the same mark as last year.
Eight agencies received Fs: the departments of Agriculture, Defense, Energy, Health and Human Services, Homeland Security, Interior, State and Veterans Affairs.
Another five agencies received Ds: the Nuclear Regulatory Commission and the departments of Commerce, Housing and Urban Development, Justice and Treasury.
Five agencies were awarded A+ grades: the Agency for International Development, Environmental Protection Agency, Labor Department, Office of Personnel Management and Social Security Administration.
But Bruce Brody, vice president of information security at INPUT, a Reston, Va.-based government market analysis firm, said the cybersecurity grades were "much ado about nothing." Brody recently left the chief information security office position at the Energy Department.
He described the grading process "as an annual grandstanding event," and said FISMA has become a paperwork tool.
"You can get a good FISMA grade with a lot of paperwork, but that doesn't mean you are secure," Brody said. "FISMA has done a really good job in focusing attention and getting people at the more senior levels aware of information security, but it needs to evolve to where it is more than a paperwork exercise."
Alan Paller, director of research for the Bethesda, Md.-based SANS Institute, also criticized the FISMA grading process and said agencies spend all their computer security funding producing reports mandated under the law and don't have the money necessary to secure their computer systems.
"The paperwork is required by a law that was written wrong," Paller said. "As long as you are asking people to write reports about computers and not secure the computers, you are not going to have security."
Lauren Kovach, director of Federal Professional Services for Internet Security Systems, an IT security firm, said rapidly changing technology is causing agencies to fall behind in securing their systems and the grades are not a good indicator of an agency's actual security.
Karen Evans, the Office of Management and Budget's Office of E-Gov and Information Technology administrator, acknowledged that agencies run the risk of turning FISMA compliance into a "paperwork exercise," but said this can be avoided.
"If you are just doing it to meet the intent of the letter of the law then it will become a paperwork exercise," Evans told Government Executive. "[FISMA is] a framework and as long as you do the things that you should be doing as you bring on new systems, or buy new technologies … you avoid it becoming a paperwork exercise."
Government Reform Committee Chairman Rep. Tom Davis, R-Va., said in a statement to Government Executive that he recognizes "that FISMA is not a panacea," but argued that it is the best tool Congress has to ensure that agencies are proactively securing their IT systems.
Davis said FISMA accomplishes the goal of having a "strong, yet flexible, protection policy in place" because it requires agencies to create a "comprehensive risk-based approach" to information security.
"Ultimately, we want to ensure that FISMA compliance does not become a paperwork exercise where agencies comply with the letter, but not the spirit, of the law," Davis said. "We don't want them filling out forms to simply fill out forms."
Gregory Wilshusen, director information security issues at the Government Accountability Office, said agencies that simply comply with FISMA's reporting requirements "are not going to enjoy the benefits offered by implementing it."
"These are just basic information security principles and practices that should be implemented," Wilshusen said of the law's requirements. "FISMA is designed to be a comprehensive framework for ensuring the effectiveness of information security controls."