Federal agencies earn C- on FISMA report card

Federal agencies scored an average grade of C- in this years information security scorecard, a slight improvement over last year.

Released by the office of U.S. Rep. Tom Davis, R-Va., ranking member of the House Government Oversight and Reform Committee, the scores were based on Federal Information Security Management Act (FISMA) audits conducted throughout the past year.

Written and championed by Davis in 2002, FISMA was designed to increase security awareness across all government agencies and provide a benchmark to test security best practices.

This year’s average grade was an improvement over last year, when agencies scored an average of D+.

"This grade indicates slow but steady improvement from past years," Davis said. "Obviously, challenges remain. While there are some excellent signs of progress in this year's report, and that's encouraging, I remain concerned that large agencies like the DoD [the U.S. Defense Department] and DHS [Department of Homeland Security] are still lagging in their compliance."

As Davis mentioned, improvements were noticeable this year. The Department of Justice improved over its D mark last year with a grade of A-. Similarly, the Department of Health and Human Services improved by several letter grades, from an F to a B. However, improvements made by some agencies were balanced by backsliding by others. For example, NASA lapsed from a B- last year to a D- this year, and the Department of Education saw its score fall from a C- to an F.

As Davis mentioned, the two agencies most responsible for securing the nation’s physical and logical infrastructure scored dismally again this year. This marks the second year in a row that the Department of Defense has earned an F on its FISMA report card. The Department Homeland Security, meanwhile, made a nominal improvement over last year’s failing grade with a D this year.

While the poor marks for the defense-related agencies might seem shocking to some, many federal IT security experts believe that they are not necessarily indicative of these agencies’ true security postures. Most experts agree that FISMA is a necessary law and that taking metrics is equally important to improve awareness about security across the government. But agreeing on metrics can be tricky and some of them may not give a true indication of security.

“The law itself is a very good law,” said Christopher Fountain, president of SecureInfo, a firm that specializes in helping government agencies improve information security assurance. “But when you take this very complex problem and boil it down to a single grade at a single point in time, I think the potential for something to be lost in translation is very real, and I think people may draw the conclusion that the fact that the [DoD] got an F means that our information systems at the DoD aren’t secure and we’re vulnerable as a nation. And I don’t see that to be the case at all.”

According to Prabhat Agarwal, analyst with INPUT, many agency CIOs and CISOs must perform a balancing act between spending resources on improving compliance and improving security, which sometimes don’t necessarily line up.

“I think there are areas that many in the industry recognize could be improved,” Agarwal said. “I think there is a recognition that you have to balance building security to improve your grade and doing it to secure the enterprise.”

Davis said today that he understood these challenges and hopes to refine FISMA grading to better align security posture with annual grades. One example he mentioned was to potentially award agencies for taking steps toward secure configurations.

"This statement opens the door to huge improvements in federal information security," said Alan Paller, director of research for the SANS Institute.

Another adjustment Davis desires would address the lack of centralized authority that many agency CIOs and CISOs have had to make necessary security changes within agency infrastructure. The congressman stated that he intends to reintroduce legislation that he wrote last year which would do this.

“This bill also expressly requires government agencies to notify individuals when sensitive personal information contained in government systems is compromised,” said Liz Gasster, executive director of the Cyber Security Industry Alliance (CSIA). “CSIA supports this legislation and other efforts that enhance information security employed by the government.”

Click here to email West Coast Bureau Chief Ericka Chickowski.



Looking for a new job? has the latest information security job opportunities. Click here for our jobs page.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.