SIGNAL
CONNECTIONS
Join the Growing Click.
Your message could be viewed more than 26,000 times a month in SIGNAL Connections. Rates start at $400 per issue. For information on banner advertising or sponsorships, contact Marsha Carpenter 703-631-6181. Limited number of spaces per issue.
AFCEA PORTAL
Click Here to renew membership, change records or take advantage of member-only AFCEA benefits, including the Virtual Boardroom, computer purchase programs and online courses.
|  |
|
|
Congress Scrutinizes Information Security Efforts
Majority of federal agencies flunk cybersecurity 101.
by Maryann Lawlor
U.S. legislators are fighting to secure information systems on two fronts: the federal government and the private sector. And, they are worried that the government is underachieving badly at a most crucial time for information security.
Concerns about the enormous impact of a system compromise that results in altered, corrupted or stolen data have prompted the U.S. House of Representatives Government Reform Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census to continue monitoring agencies’ efforts to secure their systems. On the commercial side, the subcommittee chairman enlisted industry’s help and is evaluating recommendations about how to improve the security of the roughly 85 percent of U.S. critical infrastructure owned by the private sector.
The idea of issuing federal computer security report cards was initiated four years ago by former Rep. Stephen Horn (R-CA) when he chaired the House Subcommittee on Government Management, Information and Technology. In 2003, the grades were based on the Federal Information Security Management Act (FISMA) for the first time. Despite these regular evaluations, most government agencies received either below average or failing grades.
The two organizations that received a grade of A were the Nuclear Regulatory Commission and the National Science Foundation. The Social Security Administration and the Department of Labor received a B+ and B, respectively. Six organizations received grades in the C- to C+ range. These include the Department of Education, the Department of Commerce and the Small Business Administration. Another six organizations were graded in the D- to D+ range, including the Defense Department, the Office of Personnel Management and NASA. The departments of Energy, Justice and State were among the eight organizations that received a grade of F.
According to Rep. Adam Putnam (R-FL), chairman of the House Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census, a majority of federal agencies are receiving poor grades on their annual FISMA scorecard for several reasons. For example, only five of the 24 organizations evaluated have completed reliable inventories of their critical information technology assets.
A number of the evaluations also revealed that agencies are not properly documenting their efforts to achieve compliance with FISMA requirements. The overall grades of agencies would improve if strategic components, such as staff training programs and the associated documentation, were implemented, Putnam says.
Agencies’ inspectors general (IGs) also play a critical role in receiving a passing grade. Putnam shares that in three agencies—the Defense Department, the Department of Veterans Affairs and the Treasury Department—the IGs did not submit independent reports in a timely manner.
Although the grading system may seem a bit trite, Putnam asserts that the shrinking time cycle between vulnerability identification and the capability to exploit it heightens the need to protect information systems. Information security also is a matter of maintaining the public’s trust.
The congressman acknowledges that the evaluations show that the 24 federal agencies reported that more of their systems meet key Office of Management and Budget performance measures. For example, of the total number of systems reported, those assessed for risk increased from 65 percent to 78 percent. The number of systems with a contingency plan in place grew from 55 percent to 68 percent.
The subcommittee staff has met with all of the agencies to review their 2003 results and their plans for addressing deficiencies. “There is evidence that agencies are taking this issue much more seriously and are taking aggressive steps to change the culture to one that includes security as a primary focus alongside the functionality requirements of federal information systems. I am optimistic that the 2004 scorecard will show significant improvement,” Putnam says.
In addition to concerns about federal agencies’ information systems, Putnam also has initiated an effort to improve security in the private sector. After meeting with industry leaders in both the technical and nontechnical sectors, he determined that information security was not a high priority in many companies. “The issue of information security is still viewed by many as primarily a technology issue as opposed to a management and governance issue. Therefore, the matter is not being reviewed sufficiently or considered at the ‘C’ level of management,” he relates.
As a result, the congressman is working to increase the importance of information protection and to identify how to hold companies accountable for protecting their systems. Last fall, he drafted the Corporate Information Security Accountability Act of 2003, which would require publicly traded companies to include a status report on their corporate information security plans as part of their annual filing with the Securities and Exchange Commission.
To solicit additional input about a corporate strategy, the congressman convened a group of 25 senior business leaders and formed the Corporate Information Security Working Group (CISWG). The group’s members also include representatives from government agencies and academia.
The CISWG recommends action in procurement practices, awareness and education, incentives and best practices.
The full version of this article is in the August 2004 issue of SIGNAL, in the mail to AFCEA members and subscribers Auguat 2, 2004. For information about purchasing this issue, joining AFCEA or subscribing to SIGNAL, contact AFCEA Member Services.
[PRINTER FRIENDLY VERSION]
|
|
| |
|
|
|
LETTERS
|
|
There are no letters for this article. To post your own letter, click Post Letter.
|
|
[POST LETTER]
|
|
|
|
