FISMA Scores Improve…Barely

The latest grades are out for the Federal Government when it comes to information security. According to Government Technology, Rep. Tom Davis, ranking member of the House Government Oversight and Reform Committee, gave the federal government an overall grade of C-minus when it comes to safekeeping information on government computer systems. After being mired with D’s for the past three years, a C- shows some improvement, but still leaves a lot of room for growth.

While the Department of Justice and the Department of Housing and Urban Development showed the most improvement, with Justice jumping from a D to an A-minus, and HUD from D-plus to A-plus, there were also some significant declines. NASA fell from B-minus to D-minus and the Department of Education, which fell from C-minus to F.

As Rep. Mike Turner, ranking member of the Information Policy, Census and National Archives subcommittee, said in the Government Technology article, "It’s troubling that some of the agencies with the most sensitive information continue to score poorly on this. The report identifies problems in federal agencies which include the Department of Defense, the Department of State, and the Nuclear Regulatory Commission."

However, on closer inspection, two of the biggest grade improvements came as a result of simply documenting the inventory of systems. You’d think this was a very elementary step to take for securing sensitive data.

As the article points out, "more improvement is needed in how systems are configured from a security standpoint and for training for employees with significant information security responsibilities."

Nobody in government IT should be satisfied with this improvement. Average compliance scores are one thing, but they most likely mean better than average vulnerability to exploits.

*** This is a Security Bloggers Network syndicated blog from IT Best Practices and Compliance Reporting Information authored by abakman. Read the original post at: