"This grade indicates slow but steady improvement from past years," said Davis, who had given the government a grade of D-plus, D-plus and D the last three years. "Obviously, challenges remain. While there are some excellent signs of progress in this year's report, and that's encouraging, I remain concerned that large agencies like DOD and DHS are still lagging in their compliance."
The Department of Justice and the Department of Housing and Urban Development showed the most improvement from 2005 to 2006. Justice jumped from a D to an A-minus, and HUD climbed from D-plus to A-plus. HUD had, for the first time, developed a full inventory of its information security apparatus, a major plus in the grading. It also showed improvement in virtually all categories. NASA, which fell from B-minus to D-minus, and the Department of Education, which fell from C-minus to F, showed the biggest declines.
The grades are derived from annual reports agencies produce to comply with FISMA, which Davis wrote and shepherded to passage in 2002. Agencies are rated on their annual tests of information security, their plans of action and milestones or corrective action plans, whether they certify and accredit their systems as secure, how well they manage the configuration of their computers to ensure security, how they detect and react to breaches of security, their training programs and the accuracy of their inventories.
"The results of the report card this year show that federal agencies are beginning to take seriously their responsibilities to safeguard sensitive information," said Rep. Mike Turner, ranking member of the Information Policy, Census and National Archives subcommittee. "It's troubling that some of the agencies with the most sensitive information continue to score poorly on this. The report identifies problems in federal agencies which include the Department of Defense, the Department of State, and the Nuclear Regulatory Commission."
The Department of Homeland Security received a D this year, the first time since ratings began in 2003 that it did not receive an F. Davis attributed the improvement to DHS finally establishing an inventory of its secure computer systems a critical first step to information security. "You can't protect what you don't know you have," Davis said.
Davis said the agency reports showed that the number of systems reported, annual testing of security controls and contingency plans all have increased. Slightly more systems are certified and accredited as secure as well, and agencies' reporting of breaches or other security incidents have increased dramatically.
But progress is needed in developing effective security plans and milestones to measure the progress of those plans. More improvement is needed in how systems are configured from a security standpoint and for training for employees with significant information security responsibilities.
Davis said he is exploring ways to provide an incentive through the scorecard process to agencies that effectively configure their systems with security in mind. For example, as agencies move to Microsoft Vista, bonus points could be awarded to agencies that take certain steps toward secure configurations. Leading information security professionals applauded this announcement.
"This statement opens the door to huge improvements in federal information security," said Alan Paller, director of research for the SANS Institute, which trains information security professionals. "It could have a profound effect if changes in Congressional focus and grading provide the necessary incentive to persuade agencies to implement the new OMB-mandated secure configurations faster and more broadly."
