The U.S. House Government Reform Committee released its Federal Computer Security Scorecards today, and the results were not good for most government agencies.
The committee rated overall government security with D+ grade, based on averages from 24 agencies. Of those agencies, seven received outright failing grades, including the State Department, the Department of Defense (DoD) and the Department of Homeland Security (DHS).
The scorecards are based on a review of reports submitted by federal agencies in response to the Federal Information Security Management Act of 2002 (FISMA). In a hearing to discuss the recent results, U.S. Rep. Tom Davis, R-Va., spoke about the unacceptability of the government's security practices.
"Our analysis reveals that the scores for the Departments of Defense, Homeland Security, Justice, State – the agencies on the front line in the war on terror – remained unacceptably low or dropped precipitously," Davis said. "None of us would accept D+ grades on our children's report cards. We can't accept these either."
Davis and other committee members asked for updates on security practices from ranking officials at both the DoD and DHS. He acknowledged that the DHS in particular has had a "steep climb" ahead of it in terms of securing the disparate systems of the many organizations that were combined to form DHS three years ago, while asking whether the department has all the resources it needs to improve.
Scott Charbo, chief information officer at DHS, said that the department continues to make security progress despite the low scores. In his testimony he pointed to an "aggressive remediation project" that the department began five months ago. The goal of this project is to reach 100-percent remediation by the end of the year and it is currently on track to meet that goal, he said.
"In just five short months, the department has more than doubled the number of accredited systems," he said. "It is clear the project is positively affecting the security culture of the department, and recent upward trends in remediation metrics support that view."