[NYTr] Cyber-Security: US Outstandingly Mediocre
 
Date: Fri, 13 Apr 2007 22:16:52 -0500 (CDT)


Via NY Transfer News Collective  *  All the News that Doesn't Fit
 
ZDNet - Apr 12, 2007
http://government.zdnet.com/?p=3070

Feds get C- security grade but Defense fails, DHS gets a D

The conventional wisdom is that the federal government deserves failing
grades for computer security. After all, the big VA breach of a year ago has
been followed by many more stories of agencies losing computers, suffering
data breaches and failing to encrypt sensitive data. Today a House committee
handed out security report cards for all federal agencies, The Washington
Post reports.

The good news is that, overall, the feds aren't failing: The average grade
is C-minus. The bad news is that many agencies with critical systems have
indeed earned Fs: the departments of Defense, Agriculture, Commerce,
Education, Interior, State and Treasury, as well as the Nuclear Regulatory
Commission.

Not much better: the Department of Homeland Security earned a D, an
improvement since 2005.

C-minus is better than last year's D-minus, but note this negative trend:
nine agencies earned lower scores than they did the previous year, with some
falling behind considerably. NASA went from B-minus to D-minus. An Education
went from C-minus to F.

So who gets the As? The Agency for International Development, Environmental
Protection Agency, General Services Administration, the departments of
Justice (!) and Housing and Urban Development, the National Science
Foundation, the Office of Personnel Management, and the Social Security
Administration.

The grades were based on the agencies' internal assessments and
information they are required to submit annually to the White House Office
of Management and Budget. The letter grades depended on how well agencies
met the requirements detailed in the Federal Information Security Management
Act, which requires agencies to meet a wide variety of computer security
standards.

Critics of the process have called the annual FISMA reports more of a
paperwork exercise than an accurate representation of the security of
federal agencies' computers and networks. They say the reports do not
require or give agencies credit for taking certain types of security
precautions, such as penetration tests to locate gaps in security defenses.

That criticism has some weight with Alan Paller, director of research for
the SANS Institute, a security training group.

"Shifting even half the money from report writing to actual security
improvements could enable the government to lead by example in cyber
security and provide the critical mass of incentive to integrators and
system and software vendors to bake security into every product they sell,"
Paller said. 

                      ***

The Register (UK) - Apr 13, 2007
http://www.theregister.co.uk/2007/04/13/us_gov_security_audit/

US agencies cybersecurity defences are outstandingly mediocre

>From Dunce's cap to C- in one bound

By John Leyden

Information security procedures in federal government have improved, albeit
modestly. An annual computer security report card on 24 federal agencies
released Thursday rated average security at "C-minus for 2006 compared to D+
in 2005.

So instead of been sent to bed without their pork supper, Federal IT
managers have earned a pat on the head, if not a generous end of term
present. The scores are based on reports submitted in response to the
Federal Information Security Management Act of 2002 (FISMA).

Perennial security underachievers the US Department of Homeland Security
received its first-ever non-failing grade, managing to pull its performance
up from an F to a D, the first time since the scheme began in 2003 that it
didn't flunk.

Although overall security procedures improved the Department of Defense
(DoD) recorded a failing F grade. Meanwhile the Department of Veterans
Affairs - whose loss of laptops containing veterans' confidential data
triggered a huge security breach - failed to submit a report. The Nuclear
Regulatory Commission, another agency that has trouble keeping track of its
PCs, flunked. On a brighter note, the DoJ picked up an A- while the Social
Security Administration rated an A.

The reports are overseen by the House Government Reform Committee, the
well-spring of the FISMA laws. Although supporters of the law say it
provides an incentive for improving security controls critics (including
government IT managers) say the audit is more about fulfilling compliance
requirements than reducing exposure to information security risks. Security
industry observers also criticise the lack of remedial action, or indeed
consequences of any type, that result from agencies receiving a failing
grade.
       
                                *
================================================================
.NY Transfer News Collective    *    A Service of Blythe Systems
.          Since 1985 - Information for the Rest of Us         .
.339 Lafayette St., New York, NY 10012     http://www.blythe.org
.List Archives:   https://olm.blythe-systems.com/pipermail/nytr/
.Subscribe: https://olm.blythe-systems.com/mailman/listinfo/nytr
================================================================