The past year’s rash of data breaches apparently drove home the need for information technology security more than the Federal Information Security Management Act score cards or any other federal policy could.
Lisa Schlosser, chief information officer at the Housing and Urban Development Department, said her boss called sometime last summer after a government laptop PC containing personal information on millions of veterans was stolen from the home of a Veterans Affairs Department employee. HUD Deputy Secretary Roy Bernardi, sounding worried about HUD’s IT security, asked Schlosser the question on many federal executives’ minds, “Could this happen to us?”
Schlosser reassured Bernardi that her staff members were doing everything possible to secure the agency’s IT infrastructure, but she also knew the call signaled that HUD’s senior executives realized that cybersecurity needed to be among the agency’s highest priorities.
“Our executives support and understand the importance of securing our technology,” Schlosser said. “The level of awareness among management and [a] more efficient way to do things has really helped.”
HUD’s ability to improve its information systems security earned it the greatest jump on the House Oversight and Government Reform Committee’s annual Federal Computer Security Report Card, which the committee released last week. The agency received an A+ for information security in 2006. That’s up from a D+ in 2005 and an F the previous two years.
Tom Hughes, the Social Security Administration’s CIO, said one of the first things the new commissioner did when he arrived was to ask how the agency was protecting personal data.
“He said, ‘We can’t afford a data breach,’” Hughes said. “SSA now takes IT security more seriously than it did a year ago.” SSA received an A for the second year in a row.
“Management must tell agencies how important this is,” said Rep. Tom Davis (R-Va.), committee ranking member and sponsor of the security report cards. “We will not know how important it is until there is a serious data breach.”
Beyond management buy-in, Schlosser credited HUD’s improvement to finishing its systems inventory.
Davis said completing systems inventories is a major reason that many agencies have improved and that the government as a whole moved to a C- from a D+.
“If agencies don’t have a systems inventory, they will have a lot of problems,” Davis said.
Overall, eight agencies received grades of A and eight others received failing grades for information security in 2006, the committee said. Four agencies earned a B, and two earned a C. VA did not receive a grade because it did not submit a FISMA report last year, the committee said.
The Office of Management and Budget is meeting with 12 agencies whose inspectors general rated their certification and accreditation and remediation procedures less than satisfactory.
“We are including the inspector general and the chief financial officer in these conversations now,” said Karen Evans, OMB’s administrator for e-government and IT. “This is new for us because the IGs have to give us an indication that the agency is on the right track, and the CFOs are affected by poor cybersecurity scores.”
