Thursday, March 16, 2006

The Department of Homeland Security gets an F in computer security

For the third year in a row, DHS gets an F for protecting its computer systems:

Most federal agencies that play key roles in the war on terror are doing a dismal job of protecting their computers and information networks from hackers and viruses, according to portions of a report to be released by a key congressional oversight committee Thursday.

The Department of Homeland Security, which is charged with setting the government's cyber security agenda, earned a grade of F for the third straight year from the House Government Reform Committee. Other agencies whose failing marks went unchanged from 2004 include the departments of Agriculture, Defense, Energy, State, Health and Human Services, Transportation, and Veterans Affairs.

The House Government Reform Committee is expected to award the federal government an overall grade of D-plus for computer security in 2005, a score that remains virtually unchanged from 2004.

Several agencies saw a considerable drop in their scores. The Department of Justice went from a B-minus in 2004 to a "D" in 2005, while Interior earned failing marks after getting a C-plus in 2004.

The scores are "unacceptably low," committee Chairman Tom Davis (R-Va.) said in a statement. "DHS must have its house in order and should become a security leader among agencies. What's holding them up?"

The annual report bases the grades on the agencies' internal assessments and information they are required to submit annually to the White House Office of Management and Budget. The letter grades depended on how well agencies met the requirements set out in the Federal Information Security Management Act (FISMA).

The FISMA program is based on compliance with NIST computer security standards.


Jeffery Jay Lowder said...

It doesn't surprise me that the Department of Homeland Security got an F in computer security, but then it wouldn't surprise me if many companies also got an F in computer security. Unlike the government, however, companies aren't always subjected to audits where the audit reports are made available to the general public. (This isn't intended to be an excuse for the government's poor performance, but just an observation about how widespread poor computer security truly is.)

Einzige said...

Well, forgive me for pointing out the obvious: We're not talking about McDonald's, here. We're talking about the Department of Homeland Security. An organization who's sole reason for existence is - need I say it again? - security. Not only that, but I imagine they probably spend more money than "many" companies on, um, "security" - money that is appropriated (to put it euphemistically) rather than actually earned via provision of a valued service.

It's not unreasonable, then, to hold them to a slightly higher standard than, say, Petco.