DHS gets failing grade in computer security report

The U.S. government will get low marks for computer security in a congressional report scheduled to be released Thursday. According to documents obtained by the IDG News Service, the federal government will get a D+ overall rating in the 2005 federal computer security scorecards, the same score it received last year.

The scorecards, which are compiled by the House Committee On Government Reform, give failing grades to some of the agencies most critical to the nation’s defense, including the U.S. Department of Defense and the U.S. Department of Homeland Security (DHS), both of which received Fs.

Senior IT staffers from both of these departments are scheduled to speak at a Thursday Committee hearing, according to a note on the Committee’s Web site. Robert F. Lentz, director of information assurance with the Defense Department, and Scott Charbo, CIO for the DHS are both expected to speak during the hearing, which will “explore reasons for continued unacceptable performance by some agencies,” according to the note.

DHS, which is chartered with protecting the nation’s critical infrastructure, has received only Fs on the Computer Security Scorecard since the department was first graded in 2003.

The U.S. Department of Labor and the Social Security Administration both improved their ratings and earned A+ scores in the 2005 report.

One Democratic committee member expressed concern over the results, particularly with the DHS’s showing.

“For every agency that took a step forward in improving security, another agency has taken a step backward,” Rep. Henry Waxman (D-Calif.), the Committee’s ranking Democratic member, said in a statement. “I’m alarmed that agencies with the most critical systems and most sensitive data, like the Department of Homeland Security, have received failing grades yet again.”

Agencies that dropped from their 2004 scores included the U.S. Department of Transportation, which fell from an A- to a C-, the U.S. Nuclear Regulatory Commission, which went from a B+ to a D-, and the U.S. Department of the Interior, which dropped from a C+ to an F.

The annual scorecards are based on reports submitted to Congress by the different government agencies, as mandated by the Federal Information Security Management Act of 2002 (FISMA).

The reports are designed to gauge whether or not the departments meet federally mandated security standards, but according to one observer, they say very little about the security of the IT systems in those departments.

“You get a very low score if you haven’t finished a whole bunch of reports called Certification & Accreditation Reports,” said Alan Paller, director of research for the SANS Institute, a computer security training organization based in Bethesda, Maryland. “They’re 90% documentation of the system.”

“Even the consultants that write these reports have never secured a computer system,” he added. “They wouldn’t know a secure system if they met it on the street.”

Rather than looking at whether or not agencies are meeting FISMA requirements, the government should adopt scorecards that measure real-world “readiness” of its computer systems, much as the military reports on the battle readiness of its weapon systems, Paller said.

A spokesman for Committee Chairman Tom Davis (R-Va.) declined to comment for this story.