The US government received an overall C grade on an annual information security report card that was released Tuesday.
But the report card and the internal security reports on which it's based face increasing scepticism about whether they accurately portray how prepared federal agencies are to deal with cyberthreats.
For the second year in a row, the government-wide grade improved modestly, rising from a C- on the report card issued last year for 2006.
But nine of the 24 agencies rated by US Rep. Tom Davis (R-Va.) were given failing grades for 2007 on the latest report card (download PDF), among them the Nuclear Regulatory Commission and the Departments of Defense, Agriculture, Labor and Veterans Affairs.
Meanwhile, four agencies, including the Department of Justice and the Environmental Protection Agency, earned A+ grades on the new report card. Four others received grades of A or A- from Davis, who is the ranking minority member on the House Committee on Oversight and Government Reform.
The grades are based on reports compiled annually by the inspector general at each agency to measure its compliance with the Federal Information Security Management Act (FISMA), which Davis authored. FISMA requires agencies to develop processes for testing their security controls and contingency plans, and also mandates that they adopt standard system configurations, set incident response and breach disclosure policies, and implement programs for security training and for system accreditation and certification.
The law was approved in the aftermath of the 11 Sept., 2001, terrorist attacks and initially was seen as a much-needed measure for bolstering federal information security. But over the past two or three years, there has been growing concern that many agencies have begun treating the FISMA process as little more than a paperwork exercise, resulting in little in the way of actual security improvements.
The current FISMA reports "say absolutely nothing about government security," said Alan Paller, director of research at the SANS Institute, an IT training and certification organisation. "This is just a measure of compliance with report generation."
The big problem, according to Paller and other critics, is that FISMA doesn't require agencies to actually demonstrate that they have effectively implemented the mandated controls, thus bolstering their IT security. For instance, an agency that can show it has a security awareness training program in place is deemed to be compliant with that requirement, even if no employees have received any actual training, Paller said.