Government Security Barely Makes The Grade

This week, the annual "report card" released by The House Government Reform Subcommittee on Technology Information Policy, Intergovernmental Relations and the Census, issued an overall grade of D for government network and IT security, up from last year's F, but still not making the Dean's List.

Of the 24 agencies reviewed for the report card, eight received Fs, including the Department of Homeland Security. Only two agencies--NASA and Health and Human Services--saw their grades fall this year; the National Science Foundation and the Nuclear Regulatory Commission both climbed to the A level.

Other evaluations from other sources have been equally poor.

Add them all together, though, and you have a D, which some found to be encouraging. That such a low mark should receive a generally positive, if qualified, response shows just how far government security has come in the past year--as well as just how far it has to go.

Not everyone thinks matters are as dire or lax as the subcommittee's report card suggests. Former federal CIO Mark Forman views government security programs and implementations as superior to those of many businesses.

Whichever side one is on, there is a blessing to be found in the fact that government security preparedness is being measured, so far, by evaluation only, not by actual cyber-terror attacks or attempted attacks. Real-word performance in the face of such events will obviously be pass/fail only.

Ironically, even as the subcommittee report card was in its final stages of preparation, another lapse at Los Alamos was revealed, this one involving missing disks--a reminder that for all the effort and investment on overall IT infrastructure and strategy, a truly effective, truly secure system must attend to its every aspect, from the largest overview to individual users and their tools.