Friday, March 17, 2006

Homeland Security A Computer Security Failure

U.S. cyber-security dismal: House report
Many federal agencies received low marks from a congressional committee Thursday on their cyber-security.

The 24 agencies were assessed on their levels of compliance with a federal computer system security act. Alan Paller, director of research for the Bethesda, Md.-based SANS Institute told GovExec.com that agencies spend all their computer security funding producing reports mandated under the law and don't have the money necessary to secure their computer systems.

The 24 agencies graded by the U.S. House Government Reform Committee for their compliance with the 2002 Federal Information Security Management Act fell largely in either the lowest or highest categories, with the government earning an overall grade of D+, the same mark as last year.

Eight agencies received Fs: the departments of Agriculture, Defense, Energy, Health and Human Services, Homeland Security, Interior, State and Veterans Affairs.

Another five agencies received Ds: the Nuclear Regulatory Commission and the departments of Commerce, Housing and Urban Development, Justice and Treasury, GovExec.com said.

Five agencies were awarded A+ grades: the Agency for International Development, Environmental Protection Agency, Labor Department, Office of Personnel Management and Social Security Administration.

But Bruce Brody, vice president of information security at INPUT, a Reston, Va.-based government market analysis firm, told GovExec.com the cyber-security grades were "much ado about nothing."

Well versed in government blame-shifting techniques, Brody recently left the chief information security office position at the Energy Department.

"You can get a good FISMA grade with a lot of paperwork, but that doesn't mean you are secure," Brody said.

"FISMA has done a really good job in focusing attention and getting people at the more senior levels aware of information security, but it needs to evolve to where it is more than a paperwork exercise."

Guess while he was Chief Information Security Officer at Energy that he never heard of documenting the network, intrusion detection, and a number of other vest practices.

That's OK though, because now he's consulting with other agencies on how to do things at the failing grade level (Energy received an "F").