Government Nearly Fails IT Security Test
The U.S. Government received a “D-plus” grade overall on the House Government Reform Committee’s 2004 information security report card, based on requirements set out in the Federal Information Security Management Act (FISMA). Seven government agencies, including the Department of Homeland Security, flunked the congressional oversight committee’s annual IT security assessment.
The government continues to expand its e-government initiatives and search for more ways to leverage its information technology,” Representative Tom Davis (R-Va.), chairman of the committee, told CertMag EXTRA. “Therefore, information security is more important now than ever. Given the interconnectivity of systems across cyberspace, all it takes is one weak link to break the chain. The vulnerabilities of our systems are significant, and the potential damage that can be done is almost unspeakable. That’s why I drafted the Federal Information Security Management Act (FISMA) of 2002, to require agencies to protect themselves against this ever-changing scope of cyber threats.”
According to Davis, FISMA requires each federal agency to establish a comprehensive, risk-based approach to information security management across each department. This includes risk assessments, risk management policies, security awareness training and periodic reviews. FISMA also compels agency heads and inspectors general (IG) to evaluate their computer security programs and report the results of those evaluations to the Office of Management and Budget (OMB) in September of each year along with their budget submissions. In addition, FISMA requires agency heads to report the results of those evaluations annually to Congress and the Government Accountability Office. The House Government Reform Committee’s computer security grades are based on information contained in the FISMA reports from agencies and IGs.
“Unfortunately, it’s taking time for the goals and requirements of FISMA to sink into some of our agencies,” Davis said. “There is tremendous pressure on IT managers to do so many different things. The Clinger-Cohen Act requires agencies to link capital planning and investment control to performance goals and the budget process. In implementing Clinger-Cohen, the Office of Management and Budget decided to use enterprise architectures (EA) as the primary mechanism to drive improvement in IT management. The problem is that cyber-security is not always the main focus in the planning process. At the end of the day, we want agencies to concentrate on security management issues. This was the impetus of the Clinger-Cohen Amendment – which I included in the ‘9-11 Implementation Act’ – that requires agencies to incorporate security in the planning, procurement and management of their information technology.”
OMB provided last year’s final reporting guidance on Aug. 23 to agencies and IGs on implementation of the provisions of FISMA, and instructed the agencies to submit reports that summarized the results of annual IT security reviews of systems and programs, agency progress on correcting identified weaknesses and the results of IGs’ independent evaluations. Similar to last year’s guidance, agencies and IGs were required to use specific performance metrics required for program officials, chief information officers (CIO) and IGs in assessing and reporting the status of their agencies’ security program. The final scores are based on annual testing, plan of action and milestones, certification and accreditation, configuration management, incident detection and response, training and systems inventory.
Not all of the news in the 2004 IT security assessment was negative, Davis said. “The 2004 FISMA grades indicate that some agencies have made significant improvements in certifying and accrediting systems, annual testing, and security training. Also, a greater emphasis was placed on evaluating the agencies’ systems inventories, which most agencies have completed.
“The Department of Transportation, which received an ‘A-minus,’ should be commended for the tremendous security improvement it accomplished this year, most notably in the area of certification and accreditation. Other agencies that deserve commendation may not have received As, such as Justice, but they have achieved large score increases. They’ve covered a lot of ground in a short period of time. For instance, while the State Department’s grade only increased to a ‘D-plus,’ it’s important to acknowledge their accomplishments this year; they earned a 30-point gain in their score, and are only a half a point away from a ‘C.’”
Many areas still need improvement, such as annual review of contractor systems, testing of contingency plans, configuration management, incident reporting and specialized training for employees with significant security responsibilities, Davis said. He added that there were steps being taken to improve these aspects of IT security in government
“Given that the private sector is years ahead of the federal government in terms of IT security, my committee and the CIO Council helped form the Chief Information Security Officer (CISO) Exchange, a public-private initiative focused on empowering federal CISOs to improve IT security,” he said. “This CISO Exchange will convene quarterly educational meetings to encourage the exchange of ideas and best practices between government and private sector information security professionals.”
While the assessments have been criticized by some as being a series of unnecessary, overly bureaucratic tasks, Davis maintains that these evaluations are a valuable and crucial service for IT security development in government. “I realize the FISMA process is not a perfect one and that it is not a panacea; there may be a need for amendments to facilitate implementation of the security concepts that drive FISMA,” he said. “Having said that, the grades provide Congress a ‘snapshot’ view to gauge an agency’s information security progress, provide agencies with a strong management framework and give agencies an objective benchmark from which to analyze their needs, strengths and weaknesses. We look to the CIOs and CISOs to help improve the process. We want to hear from them about what challenges they face, what additional resources they may need and what they think Congress can do to help. Ultimately, we want to ensure that FISMA compliance does not become a paperwork exercise where agencies comply with the letter, but not the spirit, of the law. We don’t want them filling out forms to simply fill out forms.
“Our committee’s primary goal is to help create a 21st century government to meet 21st century challenges and fight 21st century enemies. Our optimal weapon in this struggle is information: information moved within agencies and across departments, and information moved across jurisdictions of government, as well—seamlessly, efficiently, securely. That cannot happen unless information security is a bigger priority for agencies. That’s why these grades are needed.”
For more information, see http://reform.house.gov.