Computer Security Is Questioned Eight agencies were graded “F” for their compliance with the federal computer security law in an annual ranking by the House Government Reform Committee. But some critics say the Federal Information Security Management Act, or FISMA, is a useless paperwork exercise. In its report, released March, 16, the committee gave the government an overall grade of “D+,” the same as last year. “We know that government systems are prime targets for hackers, terrorists, hostile foreign governments and identity thieves,” said Chairman Tom Davis (R-VA), the sponsor of FISMA. “We want agencies to actively protect their systems instead of just reacting to the latest threat with patches and other responses.” Five years after the law was passed, it has proved to be “largely ineffective,” according to an analysis by the market research firm Input. “FISMA has become a largely paperwork drill among the departments and agencies, consuming an inordinate amount of resources for reporting progress while putting in place very little in the way of actual security improvements,” said Bruce Brody, Input’s vice president, information security. “Moreover, the current system-by-system and site-by-site approach to reporting information security issues does not recognize the importance of backbone infrastructure security improvements.” Brody is a former chief information officer at the Energy Department. The committee gave failing grades to the departments of Agriculture, Defense, Energy, HHS, Homeland Security, Interior, State and Veterans Affairs. Five agencies were graded “A+:” the Agency for International Development, Environmental Protection Agency, Labor Department, Office of Personnel Management and Social Security Administration. The National Institute of Standards and Technology has issued its final standard setting minimum security requirements for federal systems in 17 areas. “Federal Information Processing Standard 200” is available at www.nist.gov.