The scores, based on a review of reports submitted by federal agencies in response to requirements of the Federal Information Security Management Act of 2002 (FISMA), surprised few in the industry. But it set many pundits' fingers a-wagging.
"None of us would accept D+ grades on our children's report cards," says Congressman Tom Davis, chair of the House Government Reform Committee that releases the security scorecards. "We can't accept these either."
The problem with the scores, however, may not be their rank on the letter scale but their irrelevance to many agencies' security postures.
"FISMA quickly devolved into a paperwork compliance exercise, which, in many cases, is not connected to underlying best security practices," says Bruce Brody, vice president for information security at INPUT. "It is paper that says you're compliant as opposed to processes that give you security."
Brody saw the effects FISMA had on government agencies first-hand, working most recently as the CIO at the Department of Energy. Prior to that, he headed up technology operations at the Department of Veteran Affairs as CIO. Now that he's working in the private sector, he feels comfortable speaking out about FISMA's flaws. He says that his feelings reflect those of most of his former colleagues, who wouldn't dare speak publicly against the law for fear of career repercussions.
But FISMA isn't without its backers.
"What I like is that it is the first time we've made an attempt at report cards and accountability across agencies, which leads to changes, including more budget and more education," says Doug Landoll, general manager of security services for En Pointe Technologies. "It is making people accountable for improvements."
Brody believes differently. He fears that FISMA only served to bring a "checkmark" mentality to security within the agencies.
"The right way to do security in the federal government is to allow CIOs to centrally manage the security of all the systems in the enterprise and to do that with automated technology," Brody says. "Why the federal government would put legislation in place that would be almost the exact opposite of best security practices just boggles my mind."