The highest marks went to the Social Security Administration (B-), Labor Dept. (C+) and Nuclear Regulatory Commission (C).
The rest (Commerce Dept., NASA, Education Dept., General Services Administration, Environmental Protection Agency, National Science Foundation, and Dept. of Health and Human Services) got various shades of "D."
A lot of the evaluation came from the reports submitted by the agencies, but the GAO also included the results of penetration testing and how well agencies met standard network security standards. As grim as the results are, there is an improvement over last year. Moreover, some agencies, like the Department of Defense (which has the largest number of computers and networks in the government), have concentrated their security efforts on their most critical system. But many other agencies just don't have the money, or technically aware management, to get the people they need to secure their computer systems. Competition with the non-government sector means that corporations will always be able to outbid the government for technically competent people. Even hiring a lot of consultants doesn't work, for much of the effort required to keep networks protected is a day to day, sometimes hour by hour job. The government networks will probably be the most vulnerable in the nation for some time to come.
Most U.S. government computers are vulnerable to attack via the Internet. This we know because of law passed two years ago requiring government's major agencies to provide the General Accounting Office's (GAO) an annual report on the state of their computer systems. The latest "computer security report card," flunked the Justice Dept., State Dept., U.S. Agency for International Development, Office of Personnel Management, Veterans' Administration, Dept. of Housing and Urban Development, the Small Business Administration, the Treasury Dept., Energy Dept., Defense Dept., Interior Dept., Agriculture Dept., and the Federal Emergency Management Agency, Transportation Dept.