March 16, 2006 11:57 AM PST

DHS scores F on cybersecurity report card

The U.S. Department of Homeland Security earned failing marks in an annual computer security report card released Thursday by a congressional oversight committee.

That means the federal agency tasked with principal responsibility for the nation's cybersecurity has now received a grade of "F" from the U.S. House of Representatives Committee on Government Reform for three straight years--in other words, every year of its young existence.

It's not alone. Of the 24 departments on the scorecard (click for PDF), seven others, including Energy, Agriculture, Veterans Affairs, State, and Defense, also received failing marks for 2005. The scores for both Defense and State had hovered above passing-- at D and D+, respectively--in 2004. The overall grade across all government agencies was D+, unchanged from last year.

The shortcomings were little surprise but are nonetheless "appalling," said Gene Spafford, a Purdue University computer science professor who has long been urging greater cybersecurity research and more development dollars. He served on a presidential advisory committee that released a scathing report last year called "The Cyber Security Crisis: A Failure of Prioritization."

"Despite all the rhetoric from government officials about preparedness and defense against those who would harm the U.S., it is clear that they still don't 'get it' about IT security," he said in an e-mail interview.

The report cards are based on reports from agencies about their compliance with the Federal Information Security Management Act of 2002. That law sets a broad framework of requirements, including devising an information security program, keeping an inventory of its systems, training personnel and contractors in security "awareness," evaluating the effectiveness of its program periodically, and flagging and developing plans to root out weaknesses.

To be sure, the news wasn't all bad. Seven agencies, including the Department of Labor, the Social Security Administration, and the National Science Foundation, received grades in the A range, in some cases pulling their scores up from the C range over the past year. But progress has been "uneven" on a government-wide scale, concluded the Government Accountability Office in a presentation delivered Thursday before the House committee.

The Department of Homeland Security has proven itself a particular magnet for criticism and had been chided for its failure to develop a cyber crisis contingency plan, prompting experts to question its ability to handle a massive attack. The agency recently modeled such a scenario, drawing praise from tech companies that participated, but it doesn't expect to release an analysis of its outcome until the summer.

A high-level cybersecurity czar post proposed by the department also remains vacant, though perhaps through no fault of the agency's own. A congressional bill consenting to its creation remains bottled up in committee.

DHS Chief Information Officer Scott Charbo told politicians in prepared testimony for Thursday's hearing that the department is committed to making improvements. It launched three major new tools in 2005, he said, including monthly information security scorecards for department leaders to review. By February, it had also brought 60 percent of its 700 systems into full compliance with federal security standards, up from 26 percent before launching a special "Remediation Project" in October 2005.

See more CNET content tagged:
cybersecurity, agency, grade, information security, compliance


Join the conversation!
Add your comment
Meantime, Congress scores F on preventing adware in its own report card
In a moment of great irony, though, Congress' own report card that reprimands Federal agencies on cybersecurity, includes within the PDF file what could be called "adware" -- you'll see a logo for "PDF Complete" when you open the file that pitches the sale of a premium upgrade for creating Adobe Acrobat PDF files. PDF Complete is a competing company to Adobe. Hilarious!
Posted by hpmoon (10 comments )
Reply Link Flag
That's because you have the same BIG VENDORS gumming
...up the works. They stall and manipulate and undermine until and unless they get all the $$$. Nobody's doing nothing until they've been cut in. Pathetic. Unpatriotic. Security my arse.

The United States of Commerce. All hail the dollar.
Posted by ordaj (338 comments )
Reply Link Flag

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot



RSS Feeds

Add headlines from CNET News to your homepage or feedreader.