U.S. Government Fails to Make Security Grade

[InfoSec News <isn () c4i org>]

http://www.eweek.com/article2/0,3959,742734,00.asp

By Caron Carlson 
December 3, 2002 

For the second year running, the federal government has flunked 
Computer Security 101. 

The 24 major agencies of the U.S. government performed so poorly this 
year that lawmakers charged with overseeing government efficiency want 
to tie agencies' funding to network security procedures and force them 
to buy software only from a list of "qualified" products. 

Despite the redoubled attention to security since the terrorist 
attacks of Sept. 11, 2001, 14 of 24 federal agencies flat out flunked 
their efforts to improve network safety, according to the Computer 
Security Report Card released last month by the House Subcommittee on 
Government Efficiency, Financial Management and Intergovernmental 
Relations. This fall, the subcommittee concluded that every major 
agency in the federal government houses significant network security 
weaknesses. 

Perhaps most worrisome, some agencies--including some that conduct 
highly confidential activity--fared even worse than they did a year 
ago. The National Aeronautic & Space Administration's score fell to a 
D-plus from a C-minus, and the Department of State's score fell to an 
F from a D-plus. 

The scores are based on numerous criteria, including employee 
training, access controls, incident reporting procedures, system 
software, mechanisms to ensure the security of contractor services, 
and the use of performance measures, among other things. The data 
comes from reports that the agencies send to the Office of Management 
and Budget and audits conducted by inspectors general and the General 
Accounting Office. 

Demonstrating the paradox of trying to promote improved security via 
public disclosure, the subcommittee declined to release detailed 
evaluations of each agency. 

"With computer security, it is not necessarily in the best interest of 
everybody to identify specific problems," an aide on the subcommittee 
said. "The agencies know, and they are the people who need to get 
going on this." 

The Social Security Administration made the highest grade this year, 
rising to a B-minus from last year's C-plus. "[T]he Social Security 
Administration continues to be a shining example of sound leadership 
and focused attention toward solving this important problem," 
subcommittee chairman Stephen Horn, R-Calif., said upon disclosing the 
grades. 

The Nuclear Regulatory Commission earned the third highest grade this 
year with a "C," which does not appear remarkable until viewed in 
comparison with last year's failing grade. 

In addition to tying funding to computer security, the government 
should set minimum security standards for commercial off-the-shelf 
software purchased by federal agencies, the subcommittee recommended 
in a report titled "Making Federal Computers Secure: Overseeing 
Effective Information Security Management." 

The panel suggested that agencies be given a list of qualified 
software products, based on tests by developers or by an independent 
government agency, such as NIST or the National Security Agency. 

"The current practice of releasing software without adequate security 
testing and then developing patches to fix vulnerabilities creates an 
untenable burden on Government systems administrators," the 
subcommittee complained in the report. 

Lawmakers noted that the White House's Office of Management and Budget 
began using funding to try to improve computer security last year. 
OMB, which is requiring agencies to identify weaknesses and submit 
plans for addressing them, plans to end funding IT projects that don't 
include security requirements. 

In the past year, there have been significant attacks on federal 
computers at the White House, the Pentagon and the Department of 
Treasury, among others. Lawmakers advised that senior managers pay 
more attention to network security and promote better education within 
the ranks. They also suggested that all departments implement 
performance measures and integrate security into their budget 
planning. 

The subcommittee was chaired by Horn, who is retiring at the end of 
this session, so it remains unknown whether there will be a Computer 
Security Report Card compiled in 2003.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.