Poor government security makes industry wary

By Stephen Barlas, Contributor 20 Mar 2006 | SearchSecurity.com

IT news and analysis for CIOs Digg This!     StumbleUpon     Del.icio.us

WASHINGTON -- The latest disquieting congressional scorecard -- once again flunking key national security agencies on their cybersecurity efforts -- doesn't bode well for companies willing to share security data with the Department of Homeland Security or other government agencies.

To the extent that the report issued last week by the House Government Reform Committee heightens congressional and perhaps White House concern about a gaping hole in the defense against the war on terror, there may be some pressure on the Departments of Defense (DOD), Homeland Security (DHS), State and Justice to pay more attention to computer and IT security.

According to the annual report card on government computer security efforts (.pdf), which was issued during a Thursday hearing by committee Chairman Rep. Tom Davis (R-Va.), all of those organizations received Ds or Fs for 2005.

At the same time, those dismal grades may encourage many in the private sector to think twice about sharing information with DHS. John Sabo, director of security and privacy initiatives for Islandia, N.Y.-based CA Inc., said IT companies met as recently as three weeks ago with DHS officials about specific data security measures it must implement before the industry would be willing to share proprietary corporate IT infrastructure information.

More on security DHS: Time to outlaw rootkits? Data leaks and losses abound

"It is less likely that any significant volume of sensitive IT information sharing will go on if we believe that information cannot be protected," Sabo said.

The annual security scorecard is mandated by the Federal Information Security Management Act of 2002 (FISMA). It rates 24 agencies and departments based on information submitted by agency CIOs and inspectors general. Those reports use metrics related to such things as the percentage of information security systems reviewed, how many have been accredited and certified and how many have plans of action and milestones to address system weaknesses.

For the third year in a row, Davis gave the overall federal government a grade of D+. "None of us would accept D+ grades on our children's report Cards," he said. "We can't accept these either."

However, the DHS grade actually increased from 20.5 out of 100 in 2004 to 33.5 in 2005. But that was still an F and the department's poor showing can be attributed, according to a committee staffer, to poor configuration management, inadequate certification and accreditation and deficient annual testing of systems.

Paul Kurtz, executive director of the Cyber Security Industry Alliance (CSIA) and a former DHS official, said the failing grades for national security agencies "doesn't bode well for the future." He said the White House Office of Management and Budget (OMB), which is responsible for ensuring FISMA compliance, lacks the necessary resources to do the job.

Drew Crockett, a spokesman for Davis, said OMB's capabilities will be evaluated, adding that Davis is not unsympathetic to the IT security challenges faced by DOD and DHS.

"These are massive agencies with complex problems," Crockett said. "DHS inherited old computer systems from the agencies it incorporated. But they must move forward. They are on the front lines in the war against terror."

At the hearing, Scott Charbo, CIO for DHS, insisted his agency was moving forward. For example, he said last year just 26% of systems were properly accredited for security, but now -- following the remediation project instituted last fall by DHS Secretary Michael Chertoff -- over 60% are accredited. The department has also started a new program to bring all legacy IT infrastructures under a single management program. "I am confident that the DHS Information Security Program is moving in the right direction," Charbo concluded.

Alan Paller, director of research at SANS Institute, said the results of the report card aren't as important as how the systems perform under more pointed analyses.

"How ready are government systems? Are they configured correctly? Do they have the latest patches? Are the filters in front of them up to date? Each of those questions can be answered in real-time without paying millions to consultants to write reports that will never be read" Paller said via e-mail.

CA's Sabo explained others have voiced similar criticisms of FISMA in the past. But he emphasized that the transparency provided by the FISMA reports is very important. He gave Davis considerable credit for holding the federal government's feet to the fire on IT security.

Stephen Barlas is a freelance writer based in Washington D.C. This article originally appeared on SearchSecurity.com.

Tags: Enterprise information security management,  Enterprise risk management,  Government industry,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Enterprise information security management Talking swine flu and Conficker with the CIO of the CDC Network access control: Security advice for enterprise CIOs Evaluating network access control: NAC policy enforcement matters Enterprise risk management quiz for CIOs Network access control now addresses multiple needs Enterprise risk management solutions for CIOs Gartner: Future IT security jobs to focus on risk management strategy Avoiding gotchas of security tools and global data privacy laws Security standards to help manage compliance for those federal funds Information security and IT governance guides for CIOs Enterprise risk management Email archiving solutions and strategies for enterprise CIOs For CIOs, email deletion scandal shows need for email retention policy Swine flu preparedness: Business continuity during an H1N1 outbreak Talking swine flu and Conficker with the CIO of the CDC Tips from the CDC's CIO on H1N1 flu preparedness Tips for business continuity and contingency planning for swine flu Enterprise risk management quiz for CIOs Enterprise risk management solutions for CIOs Gartner: Future IT security jobs to focus on risk management strategy Business continuity plan needs the right leader, metrics to succeed Government industry Miscues abounded in Boston email retention policy, practices Healthcare IT standards still not clear Security standards to help manage compliance for those federal funds California appoints first cabinet-level state CIO, raises bar on IT DoD takes cue from U.S. businesses, blocks YouTube, MySpace Wi-Fi way to shrink digital divide, say big-city CIOs Vertical market guide for CIOs Lawson pitches SOA for the midmarket 'Sandal and ponytail set' cramping Linux adoption? Wisconsin CIO gets slammed on Oracle email debacle

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary GRC (governance, risk management and compliance) software  (SearchCIO.com) sustainability risk management (SRM)  (SearchCIO.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary