US Federal Agencies Score Terribly on Cybersecurity-us-federal-agencies-score-terribly-cybersecurity.jpgThe May 2018 Federal Information Technology Acquisition Reform Act (FITARA) scorecard reported dismal cybersecurity preparedness for U.S. federal agencies. FITARA now includes a metric for grading agency cybersecurity postures, tied to the Federal Information Security Management Act (FISMA).

Of the 23 agencies:

9 - Failed (grade F)
9 - Received a D
5 - Earned a C which was the highest grade achieved by any agency

Federal Information Technology Acquisition Reform Act (FITARA) scorecard


  • To continue oversight of the federal agencies’ implementation of the Federal Information Technology Acquisition Reform Act (FITARA).


  • In December 2014, Congress enacted FITARA to promote federal IT modernization and strengthen the federal IT workforce.
  • The Committee worked alongside the Government Accountability Office to develop a scorecard to assess agencies’ FITARA implementation efforts, assigning a grade from A to F.
  • The Committee released scorecards in November 2015, May 2016, December 2016, June 2017 and November 2017 .

The report also indicated federal IT systems are increasingly obsolete with outdated software and hardware. In at least one case an agency was using systems over 50 years old.

There is significant room for improvement. Until then, the U.S. federal infrastructure and services are at significant risk from digital attacks.

The upside is the fact that cybersecurity postures are being measured consistently and reported. It is tough to make headway if decent metrics do not exist. Quantifying the problem is a step in the right direction.

Watch the Congressional Committee on Oversight & Government Reform hearing Subcommittee on Information Technology and subcommittee on Government Operations announce and discuss the latest results:

Ego Beyond Reality
It is easy to believe your organization is doing well if there aren’t any credible audit results to the contrary. The FITARA report card should help federal agencies understand where they truly stand.

For example, it is tough to reconcile how the Department of Homeland Security wants to train businesses on cybersecurity, yet themselves score so poorly. Most recently, they scored a D grade on FITARA for cyber.

A realistic understanding of the landscape and threats is necessary to properly manage risk. Knowing your deficiencies is a crucial part necessary for success.

The May 2018 FITARA 6.0 Scorecard can be found here:

Interested in more? Follow me on your favorite social sites for insights and what is going on in cybersecurity: LinkedIn, Twitter (@Matt_Rosenquist), YouTube, Information Security Strategy blog, Medium, and Steemit