The report card, released by the office of U.S. Rep. Tom Davis, R-Va., the ranking member of the House Government Oversight and Reform Committee and the author of the FISMA legislation, showed that nine federal agencies scored a failing grade in 2007.
Flunking this year were the Department of Transportation, Department of Labor, the Department of Defense, the Department of the Interior, the Department of the Treasury, the Department of Veterans Affairs, the Department of Agriculture and the Nuclear Regulatory Commission.
Davis has made repeated calls for more oversight of agency information security practices.
"We need to do more to bring consistency regarding standards and review," Davis said in a prepared statement. "We need to seriously consider incentives for agency success and funding penalties and personnel reforms for agencies that don't measure up. We need a bill with teeth, and we need agencies to understand the goal is to keep information safe, not to check a statutory box."
On the positive side, three agencies received "high-confidence" grades of "A" because of "sterling financial audits," Davis said.
These were the U.S. Agency for International Development (USAID), the National Science Foundation and the Social Security Administration
The Department of Housing and Urban Development and the Department of Justice each received an "A" but with "low confidence" ratings because of weaker audit results, the statement said.
Davis said he was happy by the improvement in the overall score. Three agencies, the Department of Energy, which climbed from a "C-minus" to a "B-plus"; the Department of Homeland Security, up to "B" from a "D;" and the National Aeronautics and Space Administration (NASA), from a "D-minus" to a "C-plus," lead the improvement.
Conversely, the Department of Labor's rating plummeted from a "B-minus" to an "F," while the Department of Education's rating slipped slightly from a "D-" to an "F."
Federal agencies are rated on a variety of criteria during the annual FISMA audit process. These include their annual tests of information security, their plans of action and milestones or corrective-action plans, whether they certify and accredit their systems as secure, how well they manage the configuration of their computers to ensure security, how they detect and react to breaches, their training programs and the accuracy of their inventories.
For 2007, several new factors, including the results of fiscal year 2007 financial statement reporting, were factored in to determine the confidence level placed in the scores, according to Davis' office.