Government Gets C-, Defense Department Fails Security Report Card

Eight government agencies, including the Department of Defense, the Treasury, and the Nuclear Regulatory Agency, got failing grades Thursday on their annual computer security report card.

Overall, for 2006 the government got a C- grade, which actually is up slightly from the last three years when it received a grade of D+, D+, and D. A third of the agencies received an F, while the same number received between an A- and an A+.

Rep. Tom Davis, R-Va., ranking member of the House Government Oversight and Reform Committee, presented the report card for the performance of the 24 agencies covered by the Federal Information Security Management Act.

"This grade indicates slow but steady improvement from past years," Davis said in a written statement. "Obviously, challenges remain. But there are some excellent signs of progress in this year's report, and that's encouraging."

The grades are derived from annual reports the agencies produce to comply with the management act, which was passed in 2002. Agencies are rated on annual tests of information security, whether they certify and accredit their systems as secure, how well they manage the configuration of their computers, how they detect and react to security breaches, their training programs, and the accuracy of their inventories.

The departments of Justice and Housing and Urban Development showed the most improvement. Justice went from a D in 2005 to an A- for 2006, while HUD went from a D+ to an A+. The Department of Health and Human Services also made great gains, going from an F to a B last year.

On the other side of the balance sheet, though, NASA dropped from a B- in 2005 to a D- in 2006. The Department of Education also slipped from a C- to an F.

The Department of Homeland Security, which is tasked with protecting the United States from terrorist attacks, got a D for its computer security efforts. That's up from 2005, though, when the department got a failing grade. The State Department, along with the departments of Defense, Education, and Treasury, also failed.

The Department of Veterans Affairs, which has been plagued with computer and data losses, didn't make its report available.

"It's disturbing that some of the agencies with the most sensitive information continue to score poorly on this," said Rep. Mike Turner, R-Ohio, in a written statement. "The Department of Defense, the Department of State and the Nuclear Regulatory Commission need to improve."

Alan Paller, director of research for the SANS Institute, said in a statement that this scorecard process is a positive effort that could lead to meaningful change.

"By using the congressional grading process and thoughtful leadership to place high priority on the most critical security initiatives, Rep. Davis is helping agencies focus on stopping the increasingly sophisticated attackers," he said. "It could have a profound effect if changes in congressional focus and grading provide the necessary incentive to persuade agencies to implement new secure configurations faster and more broadly."