Grading On a Curve

This report card, like every one since FISMA was enacted in 2002, was abysmal. The federal government as a whole recieved a C-. The Nuclear Regulatory Commission and departments of Defense, State, Treasury, Commerce, Education and Agriculture all received failing grades. The Department of Homeland Security received a D, while the Department of Energy (which is responsible for the nation's nuclear weapons and energy programs) received a C-.

So what does this tell us about the security of government networks? Not all that much, actually.

Though billed as a "computer security report card," the report does not actually measure information security as such; it measures compliance with the law. FISMA, in turn, mandates the implementation of a specific set of security practices and reporting, but without specific practical benchmarks for resistance to attack. As a result, various grades reflect a whole host of factors that don't necessarily reflect real-world security.

The Defense Department's grade, for example, was based to a signficant extent on its failure to meet reporting, certification and accreditation requirements. Nevertheless, its risk tolerance is much lower than most of the agencies that received higher grades, and thus its systems are unquestionably more secure than, say, the Small Business Administration, which received a B+.

id
unit-1659132512259
type
Sponsored post

While noting that FISMA compliance is a useful tool for improving security, Liz Gasster of the Cyber Security Industry Alliance agrees that the current grading system can be misleading.

"There's a legitimate concern about that how to make the reporting more accurate and more reflective of how resiliant the systems are to cyberattacks of various kinds. It's a tough nut to crack; if you were in charge, how would you change the reporting?"

The point here is not that everything's A-OK with information security at the DoD; the federal government has some very significant problems on this front and hasn't done a great job of tackling them. The point is that security assessments are complex and tricky, and trying to boil them down to widely applicable standards, benchmarks and certifications is even trickier. Anything as simple as an A-F report card isn't going to give anyone enough information for a sound decision-making process.