DHS Cybersecurity: Who’s Making the Grade?

Instead of offering written reviews for your security staff, imagine if you had to give them a grade. Well, that’s just what federal agencies must endure, and it appears they might end up with some extra homework. According to the 2003 Federal Computer Security Report Card, the government got an average grade of D.

But what’s in a grade? And who decides the score and how is it weighted?

The report card is generated by the House Government Reform Committee’s Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census. It’s spearheaded by Subcommittee Chairman Rep. Adam Putnam (R-Fla.). The grades are primarily based on reports submitted by these agencies to the Office of Management and Budget through the Federal Information Security Management Act (FISMA), says Suzanne Lightman, a member of the House’s professional staff.

According to Lightman, reports are focused on security management, asking questions like: Have you reviewed this year’s security programs? Have tasks including the buildout of risk assessment plans been assigned? Are there documented procedures for security incident reporting, or have patch management systems been put in place? To arrive at the grades, the subcommittee uses OMB performance metrics to analyze agency and FISMA reports.

Since most FISMA questions provide for a range of responses, from 100 percent complete to less than 50 percent complete, the number of points assigned to each response is proportional to the extent that the element has been implemented. For example, an agency can earn up to six points if it has identified all of its critical operations, or fewer points if it has completed only a percentage.

An agency gets four points if the CIO has appointed a senior agency information security officer. Points can also be earned for agencies that offer specialized training to security staff, or that test contingency plans. But points are taken away from agencies yet to inventory major IT systems.

What do the experts think about these bad grades, which include an F for the Department of Homeland Security?

“Some of these agencies have not put security as a high priority. We need to change the culture of some agencies,” says Bob Dix, staff director of the Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census.

The subcommittee was encouraged by the top performers, including the Nuclear Regulatory Commission and the Nation Science Foundation, which received an A and an A-, respectively. And the subcommittee is not necessarily concerned with the DHS’s failing grade because of its newness. The DHS was around just nine months before this report was put together. But there are great expectations for the DHS: “[The DHS] will become a leader next year. They should have much higher grades,” says Dix.