DHS scores F on cybersecurity report card

A congressional analysis of federal agencies gave failing grades to eight, with Homeland Security receiving its third F in a row.

Anne Broache Staff Writer, CNET News.com
Anne Broache
covers Capitol Hill goings-on and technology policy from Washington, D.C.
Anne Broache
3 min read
The U.S. Department of Homeland Security earned failing marks in an annual computer security report card released Thursday by a congressional oversight committee.

That means the federal agency tasked with principal responsibility for the nation's cybersecurity has now received a grade of "F" from the U.S. House of Representatives Committee on Government Reform for three straight years--in other words, every year of its young existence.

It's not alone. Of the 24 departments on the scorecard (click for PDF), seven others, including Energy, Agriculture, Veterans Affairs, State, and Defense, also received failing marks for 2005. The scores for both Defense and State had hovered above passing-- at D and D+, respectively--in 2004. The overall grade across all government agencies was D+, unchanged from last year.

The shortcomings were little surprise but are nonetheless "appalling," said Gene Spafford, a Purdue University computer science professor who has long been urging greater cybersecurity research and more development dollars. He served on a presidential advisory committee that released a scathing report last year called "The Cyber Security Crisis: A Failure of Prioritization."

"Despite all the rhetoric from government officials about preparedness and defense against those who would harm the U.S., it is clear that they still don't 'get it' about IT security," he said in an e-mail interview.

The report cards are based on reports from agencies about their compliance with the Federal Information Security Management Act of 2002. That law sets a broad framework of requirements, including devising an information security program, keeping an inventory of its systems, training personnel and contractors in security "awareness," evaluating the effectiveness of its program periodically, and flagging and developing plans to root out weaknesses.

To be sure, the news wasn't all bad. Seven agencies, including the Department of Labor, the Social Security Administration, and the National Science Foundation, received grades in the A range, in some cases pulling their scores up from the C range over the past year. But progress has been "uneven" on a government-wide scale, concluded the Government Accountability Office in a presentation delivered Thursday before the House committee.

The Department of Homeland Security has proven itself a particular magnet for criticism and had been chided for its failure to develop a cyber crisis contingency plan, prompting experts to question its ability to handle a massive attack. The agency recently modeled such a scenario, drawing praise from tech companies that participated, but it doesn't expect to release an analysis of its outcome until the summer.

A high-level cybersecurity czar post proposed by the department also remains vacant, though perhaps through no fault of the agency's own. A congressional bill consenting to its creation remains bottled up in committee.

DHS Chief Information Officer Scott Charbo told politicians in prepared testimony for Thursday's hearing that the department is committed to making improvements. It launched three major new tools in 2005, he said, including monthly information security scorecards for department leaders to review. By February, it had also brought 60 percent of its 700 systems into full compliance with federal security standards, up from 26 percent before launching a special "Remediation Project" in October 2005.