Security: A Continuing Federal Challenge

The latest FISMA scorecards are out, with the grades for different agencies' efforts in the computer security arena. Amazingly, the overall grade--for all 24 major agencies in the federal government--has moved not a notch. Last year's D+ remains intact.

For those who may be new to FISMA Fun, it works more or less like this: the General Accounting Office (GAO) and the Office of Management and Budget (OMB) ask each major agency's Inspector General (IG) to submit an independent report about computer security based on numerous guidelines and scoring criteria. The IG requests input from each agency's CIO and other in-house security pros, and issues an annual report to the OMB. The GSA and OMB make their overall reports to the Committee on Government Reform, which is under the auspices of the U.S. House of Representatives.

The whole thing came about under the Federal Information Security Management Act (FISMA), which President Bush signed in December 2002. Interestingly, the security reports are submitted at the same time as the agency's budget request. I believe I understand the tie-in between asking for money and demonstrating results with the money already spent. But with all this happening at once, it's too bad the term 'March Madness' has already been taken.

And so pretty much everyone involved in government IT has a voice, and a part to play. Is it a perfect system? No, of course not. But it's the one we've got, at least for now, and even with its imperfections it gives at least some sort of assessment into the federal government's security efforts.

That said, I do have to wonder if these two facts are connected: 1) 2005 was one of the worst years on record for data breaches and government security snafus and 2) more than half of the 24 agencies assessed either stayed at a failing security grade or went down from the year before.

This did not escape the attention of Rep. Tom Davis, chair of the House's Government Reform Committee. During his opening remarks at last week's hearings, he said that despite all the brouhaha over data and other breaches, "it is still difficult to get people--even members of Congress--engaged. For most people this is an abstract, inside-the-Beltway issue."

Rep. Davis (R-Va.) also rightly connects the agencies' security problems with broader issues, including how difficult it will be for the federal government to continue making progress on its e-initiatives. If citizens do not trust the government to keep their information safe, then who's going to want to use any tools or Web sites that the agencies provide? Personally, I've been avoiding filing my taxes electronically because of this very issue. It would be great to be able to use this tool, but unfortunately I still don't trust it, the same way I don't use e-banking, either. Too much can and still does go wrong.

Contrast this to the government-wide security framework implemented by Canada. Our neighbor to the north is starting to do its census electronically. They can do this because over a million Canadians already use authentication when interacting with their government, according to Entrust CTO Chris Voice, and so the notion of keeping their census data safe is something that the government can apparently promise with a high degree of certainty.

Here at home, I have to wonder if it's disorganization, the scale of our government, funding issues, a silo mentality, or a lack of will--or some combination of all of the above--that keeps us from being able to do the same. How great would it be to be able to go the Social Security Site on behalf of my elderly parents, be authenticated there, and then go to the IRS to submit my taxes? Oh, and maybe update my confidential health information--all behind a firewall of sorts so that I have to check in only once.

To help this along, Entrust's Voice and others are pushing for agencies to use 128-bit encryption as specified by the National Institute of Standards, which also keeps a list of vendors and implementations that NIST has tested. Along these lines, another impetus is for a national data security bill that mandates consumers are told if anyone hacks into their information. If the agency or business involved uses 128-bit encryption, though, there is no mandated reporting; because the data is encrypted there's a slim chance that anyone will be able to read it, North says.

I'm not sure I agree with this, after all the PIN problems we recently saw with major banks here and abroad. That data was supposed to be encrypted, too, but one theory is that someone stole the keys to decrypt it. Imagine if your banking PIN number was hacked; I'd want to know regardless of whether encryption was involved. Wouldn't you?

Still and all, at least 128-bit throughout the government would be a start. But to say federal security is moving at a 'snail's pace' does a grave disservice to snails everywhere. It's more like a sloth's pace, since those critters hardly move at all.

It's a sad commentary that only one of the 24 agencies graded under FISMA--the small but apparently mighty Agency for International Development--stayed at its A+ grade from the year before. Gold stars for them, but how pathetic for too many of the rest.

As Rep. Davis concluded in his remarks last week, "None of us would accept D+ grades on our children's report cards. We can't accept these [marks] either."

Sure, there's been progress by some individual agencies. Out of the 24, nine have improved their security standing; Commerce and HUD now have overall passing grades (D+ in both cases) as compared to last year's failures. Other success stories include NASA, which went from last year's D- to this year's B-, and GSA, the National Science Foundation, and the Office of Personnel Management, which all went from some variation of C to an A.

Good for them. Perhaps they can pass along some tips and best practices to the eight agencies that have lower grades than they did last year, including Interior, State and, incredibly, the Department of Defense; all three went from passing last year to failing this year.

Perhaps what they tried didn't work, or perhaps, as seem to be the cases with Homeland Security and DoD, they're taking the time to implement new or improved security infrastructures from top to bottom. Scott Charbo, the CIO of DHS, testified that the agency completed its comprehensive systems inventory in August, and now DHS is in a position to implement more stringent security controls and compliance measurement. We'll see what next year's FISMA report brings in regards to DHS, which kept its F grade from last year through this one.

But what of the others who showed no movement from last year's failing grade? Energy, Veterans Affairs, the Department of Health and Human Services and the Department of Agriculture all stayed at "F." It gives the appearance of no effort being expended at all in the security arena, despite whatever may have happened behind the scenes.

What do you think will help fix the security mess that exists in too many agencies? Please weigh in with your thoughts; send me your comments at [email protected] and I'll publish your remarks at some future point.