House Report: Federal Agencies Get a “D” for Cyber-Security

By Eric Wolff, The New York Sun

New York, NY (December 11, 2003) – Lawmakers gave the federal government a “D” grade for cyber-security this year – and that was an improvement from last year’s “F”.

The House Governmental Reform Subcommittee on Information Technology Issued its fourth annual report card on the strengths and weaknesses of the government’s information technology, and for the fourth year in a row, it found federal computer systems lacking basic precautions.

The 25 largest government agencies were inspected for the report, and 19 lacked inventories of “mission critical” systems, including important computers/the location of crucial data, or which systems had to be maintained in the event of an emergency. Rep. Adam Putnam: ‘How can you secure what you don’t know you have?’

“How can you secure what you don’t know you have?” wrote Rep. Adam Putnam, a Republican from Florida, in the introduction to the report. The Department of Homeland Security was just one of several agencies that earned a failing grade.

The State Department received its second “F” in a row because only 15% of component agencies had an information technology plan to detail basic procedures like how often to change a password and how to back up data. Only 11% of all its systems had been checked for obvious security holes.

The Department of the Interior also received its second “F” in a row. None of the agencies could be reached immediately for comment. The Department of Treasury, responsible for the creation of currency, and its collection via the IRS, had 70 “material weaknesses,” according to the report, which dismissed the department’s claim that 41% of its systems had been assessed for security risks, since even the assessments were not up to legal standards.

Only two agencies received “A”s: the Nuclear Regulatory Commission and the National Science Foundation, which improved to an “A-” this year from a “D” in 2002.

Eight other agencies improved their performance two grades, simply by implementing basic IT plans and training, the report said. No government agent interviewed by The New York Sun had a justification for why security measures hadn’t been improved over the four years the report cards have been given out.

“A lot of this stuff needs a lot of manpower more than money,” said a network security expert, Adam Hirsch from Net at Work, a New York security consulting firm. “A lot of these things are just a matter of proper organization – setting up formal processes, doing the work.”

NASA and the Department of Health and Human Services were the only agencies to get lower grades since the 2002 report card.