[ISN] Agencies flunk security review

From: InfoSec News (isnat_private)
Date: Mon Nov 12 2001 - 23:44:17 PST

  • Next message: InfoSec News: "Re: [ISN] Linux snares security tool"

    By Diane Frank 
    Nov. 12, 2001
    A House panel last week gave two-thirds of all federal agencies a
    failing grade for efforts to secure information systems a worse
    showing than last year attributed to greater awareness of security
    Rep. Stephen Horn (R-Calif.), who has graded agencies on several
    information technology management topics over the years, gave the
    government an overall grade of F for its effort to secure IT systems,
    with 16 of 24 agencies surveyed receiving the failing grade. Only one
    agency received a grade higher than a C-plus.
    "It is a disappointing feeling to announce that the executive branch
    of the federal government has received a failing grade for its
    computer security efforts," said Horn, chairman of the House
    Government Reform Committee's Government Efficiency, Financial
    Management and Intergovernmental Relations Subcommittee, at the Nov. 9
    hearing during which he released the grades.
    The grades are disappointing, even if they help wake up agency
    managers to the fact that there's a lot of work to be done to secure
    the systems, said Sallie McDonald, assistant commissioner for
    information assurance and critical infrastructure protection at the
    General Services Administration.
    Last year, Horn gave the government an overall grade of D-minus, with
    seven agencies getting F grades. Horn and other officials attributed
    the worsening grades to a more thorough investigation into IT
    security. Last year, Horn collected information using a questionnaire
    developed by his staff. This year, however, he based his grades on the
    first comprehensive evaluations of agencies' security programs
    mandated under the Government Information Security Reform Act (GISRA).
    Agency chief information officers and inspectors general submitted
    those reports Sept. 10 to the Office of Management and Budget.
    After realizing that assessing their systems was becoming increasingly
    important, agencies conducted other security reviews, resulting in a
    greater awareness of security vulnerabilities, said Robert Dacey,
    director of information security issues at the General Accounting
    "Not surprisingly, this has led to the identification of additional
    areas of weakness at some agencies," he said.
    With creation of the Office of Homeland Security and a cyberspace
    security adviser, "it is important that federal information security
    be guided by a comprehensive strategy for improvement" with detailed
    plans and the resources to back them up, Dacey said.
    The Information Technology Association of America, which labeled the
    security grades "unacceptable," also called for more funding. "It's
    important to recognize this challenge, but it is also equally
    important to put in place the investment to address it," said Shannon
    Kellogg, ITAA's vice president of information security programs. "The
    reality is that the CIOs in all these agencies are expected to take
    money for security out of hide."
    The administration, however, is not inclined to request more spending
    on security because an OMB analysis shows no significant relationship
    between the percentage of IT spending on security and the soundness of
    the security at an agency, said Mark Forman, OMB associate director
    for information technology and e-government.
    OMB estimates that agencies will spend at least $2.7 billion on
    security in fiscal 2002 and they must learn to spend it more wisely,
    Forman said. "We don't believe that simply adding more money will
    solve the problem," he said.
    The administration, dissatisfied with the security data agencies
    supplied in the GISRA reports, has asked agencies to provide more
    details on specific agency programs to better understand the extent of
    the security problems.
    "This is the best set of information we've gotten so far, [but] we
    want more," Forman said. "When we get into the details, I think we're
    going to find a mixed bag, and that's where we need to go in the next
    OMB has asked agencies to reallocate money to conduct more in-depth
    assessments, especially for a program called Project Matrix. The
    Critical Infrastructure Assurance Office developed the Matrix program
    to identify agencies' critical assets, prioritize them from the most
    to the least critical and determine how co-dependent they are on one
    another. Several agencies have completed the assessment. OMB has
    directed the other agencies to reallocate fiscal 2002 funds for Matrix
    Once the reviews are completed, OMB will identify several
    government.wide activities and lines of business for additional Matrix
    reviews to create a horizontal view of the government's
    vulnerabilities, Forman said.
    For fiscal 2003, OMB will continue to follow the policy set by the
    Clinton administration that any funding request for an information
    system with inadequate security will not be included in the
    president's budget submission, Forman said.
    OMB will also use the GISRA reports and budget meetings with agencies
    "to determine whether OMB must take steps to assist agencies in
    quickly correcting their most serious weaknesses," he said.
    OMB Director Mitchell Daniels Jr. plans to meet with agency heads "to
    impress upon them that true improvements in security performance come
    not from external oversight but from within," Forman said.
    Daniels' meetings are a good sign, McDonald said. During the rush to
    fix the Year 2000 problem, agency heads did not pay attention to the
    issue until John Koskinen, President Clinton's Year 2000 czar, met
    with them in person, she said.
    OMB also must involve the President's Management Council in the effort
    so that department secretaries and deputy secretaries understand their
    roles in security, experts say.
    "If you make it difficult for secretaries to ignore [security], then
    the problem will get fixed much more quickly," said Alan Paller,
    director of research for the SANS Institute, a security education and
    consulting organization.
    New set of security grades from Horn
    (Last year's scores in parentheses)
    Agriculture (F) F
    USAID (C-) F
    Commerce (C-) F
    Defense (D+) F
    Education (C) F
    Energy (Inc) F
    HHS (F) F
    Interior (F) F
    Justice (F) F
    Labor (F) F
    Nuclear Regulatory Commission (Inc) F
    OPM (F) F
    SBA (F) F
    Transportation (Inc) F
    Treasury (D) F
    VA (D) F
    NSF (B-) B+
    Social Security (B) C+
    NASA (D-) C-
    EPA (D-) D+
    State (C) D+
    FEMA (Inc) D
    GSA (D-) D
    HUD (C-) D
    Governmentwide grade (D-) F 
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Tue Nov 13 2001 - 02:17:47 PST