Information security procedures in federal government have improved, albeit modestly. An annual computer security report card on 24 federal agencies released Thursday rated average security at "C-minus for 2006 compared to D+ in 2005.

So instead of been sent to bed without their pork supper, Federal IT managers have earned a pat on the head, if not a generous end of term present. The scores are based on reports submitted in response to the Federal Information Security Management Act of 2002 (FISMA (http://csrc.nist.gov/policies/FISMA-final.pdf)).

Perennial security underachievers the US Department of Homeland Security received its first-ever non-failing grade, managing to pull its performance up from an F to a D, the first time since the scheme began in 2003 that it didn't flunk.

Although overall security procedures improved the Department of Defense (DoD) recorded a failing F grade. Meanwhile the Department of Veterans Affairs - whose loss of laptops containing veterans' confidential data triggered a huge security breach - failed to submit a report. The Nuclear Regulatory Commission, another agency that has trouble keeping track of its PCs, flunked. On a brighter note, the DoJ picked up an A- while the Social Security Administration rated an A.

The reports are overseen by the House Government Reform Committee, the well-spring of the FISMA laws. Although supporters of the law say it provides an incentive for improving security controls critics (including government IT managers (http://home.businesswire.com/portal/site/google/index.jsp?ndmViewId=news_view&newsId=20070412005677&newsLang=en)) say the audit is more about fulfilling compliance requirements than reducing exposure to information security risks. Security industry observers also criticise (http://www.prnewswire.com/cgi-bin/stories.pl?ACCT=104&STORY=/www/story/04-12-2007/0004564727&EDATE=) the lack of remedial action, or indeed consequences of any type, that result from agencies receiving a failing grade. ®

Related stories

• Task force aims to improve US cybersecurity (2 November 2007)

  http://www.theregister.co.uk/2007/11/02/us-cybersecurity_task_force/

• ITU pools experts to thwart cybercrime (8 October 2007)

  http://www.theregister.co.uk/2007/10/08/itu_cybercrime_summit/

• Ohio data leak was 'accident waiting to happen' (22 June 2007)

  http://www.theregister.co.uk/2007/06/22/ohio_data_leak_fallout/

• IRS warns late tax filers of scam sites (14 April 2007)

  http://www.theregister.co.uk/2007/04/14/irs_late_payers_tax_scam/

• Homeland Security grabs for net's master keys (3 April 2007)

  http://www.theregister.co.uk/2007/04/03/dns_master_key_controversy/

• US nuclear security agency missing 20 PCs (2 April 2007)

  http://www.theregister.co.uk/2007/04/02/us_nuclear_agency_missing_pcs/

• 100m US records exposed by security blunders (18 December 2006)

  http://www.theregister.co.uk/2006/12/18/data_breach_milestone/

• Security flap after US Navy loses laptops (28 July 2006)

  http://www.theregister.co.uk/2006/07/28/navy_laptop_security_snafu/

• Laptop with veterans' data recovered intact (30 June 2006)

  http://www.theregister.co.uk/2006/06/30/va_laptop_recovered/

• US air traffic control open to attack (15 October 2004)

  http://www.theregister.co.uk/2004/10/15/air_traffic_security/

• Federal agencies flunk IT security audit. Again (10 December 2003)

  http://www.theregister.co.uk/2003/12/10/federal_agencies_flunk_it_security/