Federal agencies received an overall D+ grade in cybersecurity in the annual report card for 2004. The Department of Homeland Security received a failing grade.
The grades, released by the U.S. House Government Reform Committee, are based on reports required by the Federal Information Security Management Act of 2002.
"The good news is, the grade for government agencies overall rose 2.5 points last year. The bad news is, the overall grade is a D+," committee chairman Rep. Tom Davis (R-Va.) said in a statement.
The grades "indicate that agencies have made significant improvements in certifying and accrediting systems, annual testing and security training, but significant challenges remain," he said.
The Department of Homeland Security received an F, along with the departments of commerce, veterans affairs, agriculture, health and human services, energy, and housing and urban development.
Davis said his committee will investigate why some agencies continue to under-perform and noted areas where improvement is needed, including annual review of contractor systems, testing of contingency plans, and incident reporting.
He praised the Department of Transportation, which received a A-, a huge improvement from its D+ in 2003. Some agencies may not have received A's but did increase their scores, he noted.
At the RSA Conference in San Francisco, an attendee said federal agencies are doing better than the grades show. During a question and answer period after a conference session Friday, the attendee - who said he has worked in government IT security for 10 years - told panelists, "We don't get credit for the level of security we have."
This week, Davis also announced the formation of the CISO Exchange, which he described as a public-private initiative to enable CISOs improve federal IT security.