Agencies flunk security review

[InfoSec News <isn () c4i org>]

http://www.fcw.com/fcw/articles/2001/1112/news-score-11-12-01.asp

By Diane Frank 
Nov. 12, 2001

A House panel last week gave two-thirds of all federal agencies a
failing grade for efforts to secure information systems a worse
showing than last year attributed to greater awareness of security
vulnerabilities.

Rep. Stephen Horn (R-Calif.), who has graded agencies on several
information technology management topics over the years, gave the
government an overall grade of F for its effort to secure IT systems,
with 16 of 24 agencies surveyed receiving the failing grade. Only one
agency received a grade higher than a C-plus.

"It is a disappointing feeling to announce that the executive branch
of the federal government has received a failing grade for its
computer security efforts," said Horn, chairman of the House
Government Reform Committee's Government Efficiency, Financial
Management and Intergovernmental Relations Subcommittee, at the Nov. 9
hearing during which he released the grades.

The grades are disappointing, even if they help wake up agency
managers to the fact that there's a lot of work to be done to secure
the systems, said Sallie McDonald, assistant commissioner for
information assurance and critical infrastructure protection at the
General Services Administration.

Last year, Horn gave the government an overall grade of D-minus, with
seven agencies getting F grades. Horn and other officials attributed
the worsening grades to a more thorough investigation into IT
security. Last year, Horn collected information using a questionnaire
developed by his staff. This year, however, he based his grades on the
first comprehensive evaluations of agencies' security programs
mandated under the Government Information Security Reform Act (GISRA).
Agency chief information officers and inspectors general submitted
those reports Sept. 10 to the Office of Management and Budget.

After realizing that assessing their systems was becoming increasingly
important, agencies conducted other security reviews, resulting in a
greater awareness of security vulnerabilities, said Robert Dacey,
director of information security issues at the General Accounting
Office.

"Not surprisingly, this has led to the identification of additional
areas of weakness at some agencies," he said.

With creation of the Office of Homeland Security and a cyberspace
security adviser, "it is important that federal information security
be guided by a comprehensive strategy for improvement" with detailed
plans and the resources to back them up, Dacey said.

The Information Technology Association of America, which labeled the
security grades "unacceptable," also called for more funding. "It's
important to recognize this challenge, but it is also equally
important to put in place the investment to address it," said Shannon
Kellogg, ITAA's vice president of information security programs. "The
reality is that the CIOs in all these agencies are expected to take
money for security out of hide."

The administration, however, is not inclined to request more spending
on security because an OMB analysis shows no significant relationship
between the percentage of IT spending on security and the soundness of
the security at an agency, said Mark Forman, OMB associate director
for information technology and e-government.

OMB estimates that agencies will spend at least $2.7 billion on
security in fiscal 2002 and they must learn to spend it more wisely,
Forman said. "We don't believe that simply adding more money will
solve the problem," he said.

The administration, dissatisfied with the security data agencies
supplied in the GISRA reports, has asked agencies to provide more
details on specific agency programs to better understand the extent of
the security problems.

"This is the best set of information we've gotten so far, [but] we
want more," Forman said. "When we get into the details, I think we're
going to find a mixed bag, and that's where we need to go in the next
year."

OMB has asked agencies to reallocate money to conduct more in-depth
assessments, especially for a program called Project Matrix. The
Critical Infrastructure Assurance Office developed the Matrix program
to identify agencies' critical assets, prioritize them from the most
to the least critical and determine how co-dependent they are on one
another. Several agencies have completed the assessment. OMB has
directed the other agencies to reallocate fiscal 2002 funds for Matrix
reviews.

Once the reviews are completed, OMB will identify several
government.wide activities and lines of business for additional Matrix
reviews to create a horizontal view of the government's
vulnerabilities, Forman said.

For fiscal 2003, OMB will continue to follow the policy set by the
Clinton administration that any funding request for an information
system with inadequate security will not be included in the
president's budget submission, Forman said.

OMB will also use the GISRA reports and budget meetings with agencies
"to determine whether OMB must take steps to assist agencies in
quickly correcting their most serious weaknesses," he said.

OMB Director Mitchell Daniels Jr. plans to meet with agency heads "to
impress upon them that true improvements in security performance come
not from external oversight but from within," Forman said.

Daniels' meetings are a good sign, McDonald said. During the rush to
fix the Year 2000 problem, agency heads did not pay attention to the
issue until John Koskinen, President Clinton's Year 2000 czar, met
with them in person, she said.

OMB also must involve the President's Management Council in the effort
so that department secretaries and deputy secretaries understand their
roles in security, experts say.

"If you make it difficult for secretaries to ignore [security], then
the problem will get fixed much more quickly," said Alan Paller,
director of research for the SANS Institute, a security education and
consulting organization.


New set of security grades from Horn

(Last year's scores in parentheses)

Agriculture (F) F
USAID (C-) F
Commerce (C-) F
Defense (D+) F
Education (C) F
Energy (Inc) F
HHS (F) F
Interior (F) F
Justice (F) F
Labor (F) F
Nuclear Regulatory Commission (Inc) F
OPM (F) F
SBA (F) F
Transportation (Inc) F
Treasury (D) F
VA (D) F
NSF (B-) B+
Social Security (B) C+
NASA (D-) C-
EPA (D-) D+
State (C) D+
FEMA (Inc) D
GSA (D-) D
HUD (C-) D
Governmentwide grade (D-) F 



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.