Members of the U.S. Congress on Thursday lectured technologyexecutives at two major security agencies for failing cybersecurityscores, with one congresswoman saying she doesn’t feel safe becauseof the problems.
“What’s happening at the two most strategic and sensitiveagencies?” said Representative Diane Watson, commenting on the Fgrades given to the U.S. Department of Homeland Security (DHS) andthe U.S. Department of Defense (DOD) by the House ofRepresentatives Government Reform Committee. “Is thereincompetence? Is there cronysim?
“I don’t feel comfortable that my homeland is secure,” Watson addedduring a committee hearing, a day after the committee released the2005 cybersecurity scores for 24 major U.S. government agencies.
The DHS and DOD both received F grades for 2005, with DOD decliningfrom a D grade in its 2004 score. Six other agencies, including thedepartments of State and Energy, also received Fs. Seven agenciesreceived grades of A- or better, with the Department of Labor andthe Social Security Administration among five agencies receiving A+grades.
Committee Chairman Tom Davis, a Virginia Republican, said improvedcybersecurity at federal agencies is “vital” to national securityand the U.S. economy. “When it comes to federal IT policy andinformation security, it is still difficult to get people — evenmembers of Congress — engaged,” Davis said. “None of us wouldaccept D+ grades on our children’s report cards. We can’t acceptthese either.”
Technology executives at both agencies said their size, theirwidely dispersed employees and their varied missions contributed toa complex and quickly changing IT environment. Both agencies saidthey’ve made dramatic improvements in recent months.
The DOD deploys networks on the fly for soldiers and sailors, saidRobert Lentz, director of information assurance for DOD. “We havevery large and very diverse, dynamic organization deployedworldwide,” Lentz said. “Things are changing all the time.”
Karen Evans, administrator of the White House Office of Managementand Budget’s Office of E-Government and Information Technology,agreed that large agencies can have a tougher time complying withthe Federal Information Security Management Act (FISMA), passed byCongress in 2002. FISMA requires agencies to complete ITinventories, test for security vulnerabilities and developremediation plans in the event of major attacks or outages.
“It sounds as if you are defending the incompetency of DHS,”responded Representative William Lacy Clay, a MissouriDemocrat.
DOD has made several recent improvements, Lentz said. The agencyhas begun a process to track IT security personnel and securitycertifications, he said, and it conducted cybersecurity trainingfor 2 million of the 2.6 million DOD military, civilian andcontract workers who had access to DOD networks, he said.
DHS, which began operations in March 2003, completed a systems andapplications inventory in August, said Scott Charbo, the DHS chiefinformation officer. The agency also rolled out a systemscertification and accreditation tool in April, he said. About 26percent of its IT equipment was accredited as of late 2005, andthat number is now up to 60 percent, he said.
Davis noted that DHS is a relatively new agency that broughttogether more than 20 U.S. agencies when it was formed. “This is awork in progress,” he said. “This takes years.”
Charbo agreed but said his agency needs to do better. “That stilldoesn’t change the fact that … we’re nowhere near where we wantedto be,” he said.