Weaknesses and inconsistencies in agencies’ security management practices have left dangerous holes in critical infrastructures, according to the latest assessment of federal agencies’ compliance with the Federal Information Security Management Act. In light of continual low scores on information security, some security experts and congressional leaders say federal agencies must take FISMA requirements more seriously.

Nearly all federal agencies operate automated systems and electronic data, congressional auditors said at a recent hearing on FISMA grades. Without those assets, agencies would likely be unable to gauge resources and pursue their missions. People could steal federal payments, launch attacks on connected computer systems or abuse sensitive information about citizens. “Hence, the degree of risk caused by security weaknesses is high,” Government Accountability Office auditors wrote in their new report on FISMA compliance.

Federal agencies average a D-plus on the 2005 computer security report cards from the House Government Reform Committee, the same as the 2004 average grade.

Notably, agencies whose missions include homeland security received failing grades. “For most people, this is an abstract, inside-the-Beltway issue,” said Rep. Tom Davis (R-Va.), the committee’s chairman, at a March 16 hearing held to announce the 2005 grades. “FISMA is still viewed by some federal agencies as a paperwork exercise, but these are shortsighted observations.”

Davis singled out agencies with failing grades. “If FISMA was the No Child Left Behind Act, a lot of critical agencies would be on the list of ‘low performers,’ ” he said. “The scores for the departments of Defense, Homeland Security, Justice, State — the agencies on the front lines in the war on terrorism — remained unacceptably low or dropped precipitously.”

Agencies made improvements in developing configuration management plans, training security employees, developing and maintaining an inventory, certifying and accrediting systems, and testing, Davis said. Nevertheless, the committee still has concerns, he said.

GAO auditors found that none of the 24 major agencies that receive FISMA grades have agencywide information security programs, which FISMA requires. Agencies do not adequately assess risks or develop risk-based policies or procedures for securing information. Many agencies still do not have complete inventories of their major information systems, GAO reported.