Chaired by U.S. Rep. Tom Davis, R-Va., the committee will release 2005 federal computer security scorecards during an oversight hearing scheduled tomorrow morning. The scorecards are based on a review of reports submitted by federal agencies in response to requirements of the Federal Information Security Management Act of 2002 (FISMA).
Davis wrote the bill to compel government workers to better protect systems from potential cyber attacks. It requires each federal agency's CIO to give Congress a yearly report on how it is working to implement risk-based methods to manage information security. The committee then compiles the scorecards based on agency security practices documented in the reports.
The objective of Thursday's review is to see how well government agencies advanced their information security practices in 2005, said Drew Crockett, committee spokesperson.
"Tomorrow we'll see which agencies have improved security, answering one big question," he said. "Is the government ready for a digital Pearl Harbor?"
Crockett said that certain agencies have been better than others at improving their security management. The committee plans to explore the reasons why certain agencies are still not able to meet guidelines set out by the FISMA framework.
Committee members will also discuss whether improvements need to be made on the FIMSA requirements themselves. Some federal CIOs have questioned the usefulness of FISMA reports and the resultant scorecards. In the release of its annual Survey of Federal CIOs last month, the International Technology Association of America noted that, "one CIO cited FISMA reporting as a paper exercise and a 'forced march without value.'"
Crockett said that the committee is aware of the criticisms and will look at whether they have any merit.
"The goal of FISMA was to establish a broad framework for security," he said. "The last thing we want is it to turn into a paperwork exercise. We need to know whether that is a valid criticism or not and whether there are any changes that we need to make to reporting requirements."