U.S. House Government Reform Committee Chairman Tom Davis (R-Va.) last week released the 2004 federal government computer security scorecard, which gave federal agencies an overall D+ average. Several agencies, including the U.S. Department of Homeland Security and the U.S. Department of Energy, scored F"s for the second year running. Others, such as the U.S. Department of Transportation, showed big improvements.
In this interview with Computerworld, Davis talked about the government"s performance on the score card and warned that more mandates could be on the way if federal agencies don"t fix their security issues soon.
What are your conclusions about the overall performance of government agencies? I think it is improving, but it"s not improving fast enough at this point. The overall agency scores rose by 2.5 points, but they still scored a D+. We just need to continue to give this focus, and hopefully we won"t have some kind of cyberattack or cyber-Pearl Harbor. We have to be inspired by that to try and stay ahead of the curve.
Why are some agencies faring so well while others appear to be struggling? Leadership. It"s about leadership. It basically goes to the CIO and the agency heads and their ability to coordinate on this. They have to get this focused. They need to get a plan, (and) they need to execute on it. Some agencies have put the resources into it, and others haven"t. We have independently verified these scores. Some have still a long way to go.
What"s the incentive to improve when there are no funding or other repercussions for bad grades? I don"t know if you want to punish people by withholding funding. That makes it even tougher for them to meet their goals. But I think there may be an embarrassment factor. If you want to have career advancement and you come off an agency that has got a bad FISMA (Federal Information Security Management Act) grade, it probably isn"t going to help you move to the next level. I think this is part of the evaluation process. Eventually, I think there will be a funding attachment. These score cards are fairly new, and we are trying to get an appropriations buy-in.
Many of the recommended security controls for federal agencies will become mandated requirements by the end of this year. What impact will that have on the score cards next year. Mandates are better than suggestions, unfortunately. You hate to get to the point where you have to mandate things that need to get done. But I think that is the way Congress will react, with more mandates on agencies that will put more burden on them. We would rather have (agencies) solve the issues themselves. But if they can"t do that, I think they"ll get a lot more mandates.
You identified several areas where federal agencies overall need to improve, including annual reviews of contractor systems, testing of contingency plans and incident reporting. What is the problem? (Federal agencies) don"t have the finances for it. The basic problem is that we are asking them to do this in some cases without giving them a lot of new money. As a result of that, they just check it off like they do all their other priorities. They are kind of waiting for additional money to come through. We ask the agencies to do a lot of things. This is just one.
You had identified a need for each agency"s inspector general to standardize the evaluation process to ensure the accuracy of their reports and make sure that fair comparisons can be made between the agencies. What"s being done? We haven"t made any changes yet. That will be based on the responses we get from the different agencies.
How will the CISO Exchange that you announced recently help improve things? Hopefully, we will get people to come from agencies that have done it going into agencies that haven"t done it and show them how to do it. You get some pollination that way.