In a scathing report released Friday, the U.S. congressional Subcommittee on Government Efficiency, Financial Management and Intergovermental Relations flunked 16 federal agencies on their computer security efforts, while giving barely passing grades to a host of other agencies.
“It is disappointing to announce that the federal government has received a failing grade on its security efforts,” Subcommittee chairman Stephen Horn said in his opening remarks upon presenting the annual computer security report card.
The subcommittee began grading 24 major executive branch departments of the U.S. government last year after Congress passed the “Government Information Security Reform Act,” which stipulates that federal agencies establish agencywide computer security programs that protect the systems that support their missions.
Critical agencies such as the Department of Defense, Department of Transportation, Department of Health and Human Services, and Department of Energy, as well as the Nuclear Regulatory Commission, all received “F’s,” a failing grade.
The dismal report card comes at a particularly sensitive time when the U.S. is at war in Afghanistan and facing terrorism threats at home, making the protection of sensitive government information all the more crucial.
“All of us in Congress are well aware that the nation is in a state of war,” said Horn, a Republican from California. “It is not anyone’s intention to place this great land at further risk of attack. It is, however, very important that the new administration take heed of the sobering assessment the subcommittee is providing and work to expeditiously to address this most important need.”
Other agencies that were handed a failing grade included the Department of Justice, the Department of Treasury, the Department of Interior and the Department of Education.
Meanwhile, a handful of other agencies slipped by with a “D,” which is passing, but barely so. These included the Federal Emergency Management Agency, the General Services Administration and the Department of State.
The National Aeronautics and Space Administration scored a “C-minus” – slightly below average – while the National Science Foundation merited the highest grade of the group, scoring a “B-plus.” An “A” would have been the highest score, but no “A’s” were given out.
The ratings were determined by security audits and evaluations performed by agency inspectors general since July 2000, with standards set by the Office of Management and Budget.
“Without proper protection, the vast amount of sensitive information stored on government computers could be compromised and the systems themselves subject to malicious attacks,” Horn warned. “As the recent spate of computer viruses and worms have shown, cyberattacks have the potential to cause great damage to the nation.”
While the report comes as a stark warning to government agencies to tighten their ships in the face of increasing security concerns, the subcommittee did recognize some recent advances that government has made. Shortly after the Sept. 11 terrorist attacks on the U.S., a Special Advisor for Cyberspace Security was appointed to coordinate interagency efforts to secure government information, for instance. Furthermore, the president’s Critical Infrastructure Protection Board has recommended policies to protect information concerning critical infrastructure.
Still, in the report released Friday the subcommittee states that, “recent reports and events indicate that these efforts are not keeping pace with the growing threats and that critical operations and assets continue to be highly vulnerable to computer-based attacks.”