The congressional committee that released A, B, C, D and F grades on the year 2000 compliance of federal agencies during the last two years now intends to issue similar grades evaluating the information security readiness of 54 federal agencies and departments.
The U.S. House Subcommittee on Government Management, Information and Technology, which is chaired by Rep. Stephen Horn (R-Calif.), plans to release its security report cards at a Sept. 11 hearing. The U.S. General Accounting Office (GAO), which has largely been critical of the security efforts of federal agencies, also is due to issue a report at the hearing.
"We heard testimony, over and over again, that the [Y2K] report card was instrumental in getting [federal agencies'] attention, and we hope this will do the same thing," said Bonnie Heald, a spokeswoman for Horn's subcommittee.
The security report cards will be based on information received from questionnaires and data collected by the GAO that evaluates external access to systems, application controls and other security procedures. For example, a GAO report released earlier this month slammed the Environmental Protection Agency for "serious and pervasive problems that essentially rendered [its] agencywide information security program ineffective".
But Mark Gembecki, president of information security firm WarRoom Research Inc. in Linthicum, Md., said the committee's effort has its limits.
"From an embarrassment standpoint, it will probably be very effective," Gembecki said. "I don't think anyone wants to be compared to a drunken driver. But I think [Horn and other subcommittee members] are sending a terribly misconfigured message, that they would rather police than create awareness."
Gembecki said the effort being devoted to preparing the report cards would be better spent on giving agencies the tools and recommended best practices that are needed to solve their information security problems.