[ISN] Q&A: Rep. Davis on latest federal IT security report card
isn at c4i.org
Fri Feb 25 04:48:23 EST 2005
By Jaikumar Vijayan
FEBRUARY 24, 2005
House Government Reform Committee Chairman Tom Davis (R-Va.) last week
released the 2004 federal government computer security scorecard,
which gave federal agencies an overall D+ average (see story) .
Several agencies, including the Department of Homeland Security and
the Department of Energy, scored F's for the second year running.
Others, such as the Department of Transportation, showed big
In this interview with Computerworld, Davis talked about the
government's performance on the score card and warned that more
mandates could be on the way if federal agencies don't fix their
security issues soon.
What are your conclusions about the overall performance of government
I think it is improving, but it's not improving fast enough at this
point. The overall agency scores rose by 2.5 points, but they still
scored a D+. We just need to continue to give this focus, and
hopefully we won't have some kind of cyberattack or cyber-Pearl
Harbor. We have to be inspired by that to try and stay ahead of the
Why are some agencies faring so well while others appear to be
Leadership. It's about leadership. It basically goes to the CIO and
the agency heads and their ability to coordinate on this. They have
to get this focused. They need to get a plan, [and] they need to
execute on it. Some agencies have put the resources into it, and
others haven't. We have independently verified these scores. Some have
still a long way to go.
What's the incentive to improve when there are no funding or other
repercussions for bad grades?
I don't know if you want to punish people by withholding funding. That
makes it even tougher for them to meet their goals. But I think there
may be an embarrassment factor. If you want to have career advancement
and you come off an agency that has got a bad FISMA [Federal
Information Security Management Act] grade, it probably isn't going to
help you move to the next level. I think this is part of the
evaluation process. Eventually, I think there will be a funding
attachment. These score cards are fairly new, and we are trying to get
an appropriations buy-in.
Many of the recommended security controls for federal agencies will
become mandated requirements by the end of this year. What impact will
that have on the score cards next year.
Mandates are better than suggestions, unfortunately. You hate to get
to the point where you have to mandate things that need to get done.
But I think that is the way Congress will react, with more mandates on
agencies that will put more burden on them. We would rather have
[agencies] solve the issues themselves. But if they can't do that, I
think they'll get a lot more mandates.
You identified several areas where federal agencies overall need to
improve, including annual reviews of contractor systems, testing of
contingency plans and incident reporting. What is the problem?
[Federal agencies] don't have the finances for it. The basic problem
is that we are asking them to do this in some cases without giving
them a lot of new money. As a result of that, they just check it off
like they do all their other priorities. They are kind of waiting for
additional money to come through. We ask the agencies to do a lot of
things. This is just one.
You had identified a need for each agency's inspector general to
standardize the evaluation process to ensure the accuracy of their
reports and make sure that fair comparisons can be made between the
agencies. What's being done?
We haven't made any changes yet. That will be based on the responses
we get from the different agencies.
How will the CISO Exchange that you announced recently help improve
Hopefully, we will get people to come from agencies that have done it
going into agencies that haven't done it and show them how to do it.
You get some pollination that way.
More information about the ISN