The annual FISMA grades are to be announced for 2006 sometime today. From the initial reports, the scores are still pretty bad at a C- for the entire government; though, overall, the government did score better than last year's D+ grade. (I'm sure some member of Congress will bill this as a "success story.")
Of the 24 agencies that must file FISMA grades, 7 received grades of A (from this article). Of the remaining agencies, 13 received a grade of D or below.
Some highlights:
Good Scores
- Agency for International Development (USAID) - A+
- Department of Justice - A-
- Social Security Administration - A
Failing Scores- Department of Commerce
- Department of Defense
- Department of State
- Department of Treasury
And finally, the Department of Veterans Affairs didn't even submit their report. Let's just say, based off of their issues with laptop loss, they probably would have failed anyway.
Of note, for the first time since its inception, the Department of Homeland Security didn't fail (
source).
These scores, and the lack of improvement show that FISMA is not succeeding in making government IT security any better. It has ended up being a paper exercise with no repurcussions for failure. As a former government employee, I know that security is considered a high priority in some agencies, but others just don't care. To me, it seems that some agencies that should care (DoD, DHS, State, etc.) have done little to protect their information systems.