[ISN] With D+ On Their Report Card, Federal Security Officers Try A Study Group

InfoSec News isn at c4i.org
Thu Feb 17 04:47:17 EST 2005


By Eric Chabrow 
Feb. 16, 2005

The consistent failure of many federal agencies to secure their IT
systems effectively has prompted government officials to create a new
organization, to be funded by the private sector, to help federal
chief information security officers improve cybersecurity.

The formation of the CISO Exchange, announced Wednesday, came as the
House Government Reform Committee issued a federal computer security
report card in which the average grade for 2004 was a D+.

Federal CISOs need better guidance to comply with the 2002 law that
requires agencies to secure their IT systems and networks. In a survey
of one-quarter of federal CISOS, 70% say they want clarification of
guidelines; 53% recommended that guidance be improved on the annual
security control tests conducted by agencies' inspectors general.

"It's not sufficient to keep admonishing these guys," says Stephen
O'Keefe, the head of an IT public relations, research, and events
firm, who will serve as the CISO group's executive. "We have to
provide a forum where they can have a seat at the table, learn from
others, and get feedback on ideas."

The creation of the CISO Exchange was announced by Rep. Tom Davis, the
Virginia Republican who chairs the Government Reform Committee and the
federal CIO Council, a congressionally mandated group of CIOs who
represent major federal departments and agencies.

Unlike the CIO Council, the CISO Exchange will be an informal
organization aimed at giving 117 federal departmental and agency CISOs
a common voice. The exchange will be co-chaired by Justice Department
CIO Van Hitch, who chairs the CIO Council's cyber security and privacy
committee, and Government Reform Committee staff director Melissa

Davis, in a statement, said the exchange is patterned after other
government efforts to cross-pollinate ideas and best practices between
the private sector and government in order "to move our government to
the top of the class in IT security." The CISO Exchange will hold
quarterly education meetings as well as produce a report on federal IT
security priorities and operations.

O'Keefe says 100% of CISO Exchange funding will come from business,
mostly IT security companies and not government coffers. No company
has been asked to commit money to the venture, since O'Keefe says that
CISO Exchange wanted to await the announcement of the group's
formation before soliciting contributions. He says a number of
companies have expressed interest in supporting the exchange, which
doesn't yet have a budget.

Seven cabinet departments received a grade of F on their computer
security report card: Agriculture, Commerce, Energy, Health and Human
Services, Homeland Security, Housing and Urban Development, and
Veterans Affairs. The grades for Commerce and Veterans Affairs dropped
from 2003 scores of C- and C, respectively.

The biggest jump in performance occurred at Transportation, which
received an A- after getting a D+ in 2003. The Agency for
International Development had the highest grade, an A+, up from a C-
in 2003.

In the CISO survey, conducted by IT security management provider Telos
Corp., an IT security management provider, the vast majority of
security officers said there was no correlation with the scorecard
grades they received and government funding of IT security
initiatives. "If there are no incentives for agencies to continue to
comply with FISMA requirements," Telos chief security officer Richard
Tracy says, "what's the point?"

More information about the ISN mailing list