[ISN] U.S. Government Fails to Make Security Grade

From: InfoSec News (isnat_private)
Date: Wed Dec 04 2002 - 00:53:12 PST

  • Next message: InfoSec News: "[ISN] REVIEW: "XML Security", Blake Dournaee"

    By Caron Carlson 
    December 3, 2002 
    For the second year running, the federal government has flunked 
    Computer Security 101. 
    The 24 major agencies of the U.S. government performed so poorly this 
    year that lawmakers charged with overseeing government efficiency want 
    to tie agencies' funding to network security procedures and force them 
    to buy software only from a list of "qualified" products. 
    Despite the redoubled attention to security since the terrorist 
    attacks of Sept. 11, 2001, 14 of 24 federal agencies flat out flunked 
    their efforts to improve network safety, according to the Computer 
    Security Report Card released last month by the House Subcommittee on 
    Government Efficiency, Financial Management and Intergovernmental 
    Relations. This fall, the subcommittee concluded that every major 
    agency in the federal government houses significant network security 
    Perhaps most worrisome, some agencies--including some that conduct 
    highly confidential activity--fared even worse than they did a year 
    ago. The National Aeronautic & Space Administration's score fell to a 
    D-plus from a C-minus, and the Department of State's score fell to an 
    F from a D-plus. 
    The scores are based on numerous criteria, including employee 
    training, access controls, incident reporting procedures, system 
    software, mechanisms to ensure the security of contractor services, 
    and the use of performance measures, among other things. The data 
    comes from reports that the agencies send to the Office of Management 
    and Budget and audits conducted by inspectors general and the General 
    Accounting Office. 
    Demonstrating the paradox of trying to promote improved security via 
    public disclosure, the subcommittee declined to release detailed 
    evaluations of each agency. 
    "With computer security, it is not necessarily in the best interest of 
    everybody to identify specific problems," an aide on the subcommittee 
    said. "The agencies know, and they are the people who need to get 
    going on this." 
    The Social Security Administration made the highest grade this year, 
    rising to a B-minus from last year's C-plus. "[T]he Social Security 
    Administration continues to be a shining example of sound leadership 
    and focused attention toward solving this important problem," 
    subcommittee chairman Stephen Horn, R-Calif., said upon disclosing the 
    The Nuclear Regulatory Commission earned the third highest grade this 
    year with a "C," which does not appear remarkable until viewed in 
    comparison with last year's failing grade. 
    In addition to tying funding to computer security, the government 
    should set minimum security standards for commercial off-the-shelf 
    software purchased by federal agencies, the subcommittee recommended 
    in a report titled "Making Federal Computers Secure: Overseeing 
    Effective Information Security Management." 
    The panel suggested that agencies be given a list of qualified 
    software products, based on tests by developers or by an independent 
    government agency, such as NIST or the National Security Agency. 
    "The current practice of releasing software without adequate security 
    testing and then developing patches to fix vulnerabilities creates an 
    untenable burden on Government systems administrators," the 
    subcommittee complained in the report. 
    Lawmakers noted that the White House's Office of Management and Budget 
    began using funding to try to improve computer security last year. 
    OMB, which is requiring agencies to identify weaknesses and submit 
    plans for addressing them, plans to end funding IT projects that don't 
    include security requirements. 
    In the past year, there have been significant attacks on federal 
    computers at the White House, the Pentagon and the Department of 
    Treasury, among others. Lawmakers advised that senior managers pay 
    more attention to network security and promote better education within 
    the ranks. They also suggested that all departments implement 
    performance measures and integrate security into their budget 
    The subcommittee was chaired by Horn, who is retiring at the end of 
    this session, so it remains unknown whether there will be a Computer 
    Security Report Card compiled in 2003.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Wed Dec 04 2002 - 03:30:26 PST