US Government IT Security 'Outstandingly Mediocre'

mrneutron2004 writes wrote with a link to an article on The Register, discussing an annual IT security report card handed out to the federal government. The results this year were mixed. The good news is that they graded higher than last year. The bad news? They still just rate a C-". Individual departments did better than others, but overall the results were quite poor. "Although overall security procedures improved the Department of Defense (DoD) recorded a failing F grade. Meanwhile the Department of Veterans Affairs - whose loss of laptops containing veterans' confidential data triggered a huge security breach - failed to submit a report. The Nuclear Regulatory Commission, another agency that has trouble keeping track of its PCs, flunked."

What might help

[Anonymous Coward]

It would probably help if most of the security measures weren't "Unfunded mandates"... There's quite a lot that could and should be done, and plenty of items which must be met, but as long as budgets are shrinking IT will continue to get a smaller piece of the pie with which to work.

Re:Government

[HomelessInLaJolla]

There's a fine point there. No, the government does not print the money. The government buys the printed money from the Federal Reserve, which is a coalition of private bankers. When we look at the federal debt, and see that the federal government is $8.8 trillion dollars in debt, it's no different than a home loan. The federal government is $8.8 trillion dollars in debt to a bank which is allowed to set all the terms of repayment--including the interest rates used for all other major financial transactions in the nation.

We're all slaves!

Yes [slashdot.org], yes [slashdot.org], yes [slashdot.org] we [slashdot.org] are [slashdot.org].

Relative to what?

[djpretzel]

While from my experience a lot of fed workstations and servers are indeed running Windows, they have it so locked down and neutered that it's almost secure by virtue of being unusable. I've witnessed some pretty Draconian measures for locking down machines, red tape up the wazoo for change management, and detailed Certification & Accreditation procedures for moving IT systems into production and changing them. Relative to quite a bit of what I've seen in private industry, there's actually better security measures in place at multiple levels... Furthermore, in many cases security policies and systems themselves are being developed and certified by private industry contractors, many of whom are really rather sharp. They have no interest in being lazy when it comes to finding things to make more secure or criticize, because it means more revenue. I'd question how most private companies would fair if analyzed under these same FISMA regulations, or - since the article's on The Register - how the British government would rate.