Homeland Security Department officials cited progress in securing IT systems across the sprawling organization as reflected in an Inspector General Office report issued today. They expressed confidence that their department would receive a passing grade for the first time in next year’s federal IT security report card.

The report forms part of the process that leads to the assignment of a letter grade for IT security. Today’s report, for the first time, does not point to DHS performance as a “material weakness” that would lower the grade.

Even as the IG report mentioned significant improvements in IT security, it pointed to specific areas where DHS has much work to do. DHS officials concurred in the auditor’s evaluation of needed security upgrades and described their planned improvements in an annex to the report.

According to the report, “Some of the issues that we identified and recommendations made in our FY 2005 report — to assist DHS and its components in the implementation of its information program — have been addressed.” The report cited improvements in developing a comprehensive system inventory and increasing the number of systems that have been certified and accredited.

The report tagged five major problems with DHS’ technology security:

• Not all DHS systems have been certified and accredited.
• Some of the IT security weaknesses in DHS agencies don’t appear in the department’s Plan of Action and Milestones.
• Data in the department’s enterprise management tool, Trusted Agent FISMA, is not complete or current.
• System contingency plans have not been tested for all systems and
• The department’s IT security procedures should be improved.

Charles Armstrong, the department’s deputy CIO, said in a telephone interview today, “We’ve made huge progress since 2003. There were components that got their IT ripped apart and glued into ours [when DHS was created]. We still are in the throes of trying to rationalize and get to one IT structure, so to go from [approximately] 20 percent of systems being certified and accredited to 90-plus percent is a really a good feat.”

Armstrong predicted that “This is one year where we look forward to testifying in front of [House Government Reform Committee chairman Rep.] Tom Davis [R-Va.] and telling him our stories of success."

Department spokesman Larry Orluskie said in an e-mail message, “DHS has a total inventory of 692 DHS IT systems; 589 systems, or 85 percent, were certified and accredited as of Sept. 15, 2006. And, this is the number reported in the department's 2006 [Federal Information Management Security Act] report to OMB.” Orluskie added, “We anticipate 100 percent [of the systems will be certified and accredited] by the end of calendar year 2006!”

DHS received an F for its IT security under the FISMA process for 2003, 2004 and 2005, years in which the department’s Inspector General highlighted serious material weaknesses in the area. But Orluskie said that the department expects to receive its first passing score when the report cards for 2006 are issued in early 2007.

Armstrong assigned much of the credit for the improved performance to chief information security officer Bob West.

Wilson P. Dizard III is a staff writer for Washington Technology’s sister publication, Government Computer News.