OMB: Agencies Improving IT SecurityReport to Congress Paints Brighter Picture of Fed Cybersecurity
As the number of cybersecurity incidents increase, departments and agencies are doing a better job of complying with the law that governs IT security in the U.S. federal government, a new report to Congress from the White House says.
In its annual Federal Information Security Management Act report to Congress, the Office of Management and Budget describes how federal agencies did better in implementing security programs in fiscal 2013, which ended last Sept. 30, than they did the previous year.
Beth Cobert, OMB deputy director for management, says the report notes progress federal agencies made in key areas of information security. "OMB continues to work with agencies to fulfill the requirements of FISMA and implementing increasingly resilient information technology security and privacy management programs," Cobert says in a letter to the chairmen of congressional committees with IT security oversight.
"While the sophistication and diversity of threats to government systems and information continue to increase, departments and agencies are demonstrating progress in implementing solutions designed to mitigate their risk," the report says.
In 2012, government agencies, on average, met 73 percent of the FISMA requirements. That percentage rose to 81 percent last year, with significant improvements in adoption of automated configuration management, remote access and e-mail encryption.
Compliance with cross-agency performance goal strategies saw similar improvements, with average agency compliance rising from 77 percent in 2012 to 81 percent in 2013. CAP goals include trusted internet connections, continuous monitoring and strong authentication.
Three Comprehensive Initiatives
OMB tells Congress that the federal government has undertaken three comprehensive initiatives to ensure the continued safety of federal systems, including protecting existing information and information systems, supporting the safe and secure adoption of emerging technology and building a sophisticated information security workforce.
"The federal government has made it a priority to protect systems and information from threats like malicious code attacks through the utilization of both technical capabilities and cooperative frameworks," the report says. "As the government expands upon these capabilities, it must remain cognizant of supporting the adoption of emerging technologies in a secure manner to reduce the threat of compromising sensitive information."
OMB says the government will require a strong information security workforce that's able to operate in an increasingly complicated digital environment. "While threats to federal systems and information will continue to evolve, utilizing the three-pronged approach ... will ensure that federal capabilities will evolve as well," the report says.
As part of the trusted Internet connection initiative, the government has deployed the intrusion prevention system known as Einstein 3 Accelerated, which OMB says is focused on countermeasures to address 85 percent of the cybersecurity threats targeted at executive branch civilian agencies.
OMB, in the report, also points out that the National Institute of Standards and Technology is developing new guidance aimed at increasing information security by providing alternative authentication solutions for mobile devices and other end-user devices when the use of a personal identity verification card for network access would be impractical.
In support of the government's National Security for Trusted Identities in Cyberspace and Identity, Credential and Access Management initiatives, OMB says several agencies are working with the Postal Service and General Services Administration in piloting a federal cloud credential exchange initiative that should soon go live. The pilot will test a secure, privacy-enhancing and interoperable mechanism for government applications to accept federally approved, externally issued credentials, according to OMB.
The report discloses that federal agencies spent more than $10 billion on IT security in fiscal 2013, including $4.1 billion to improve the effectiveness of cybersecurity efforts, $3.6 billion to prevent malicious cyber-activity and $2.7 billion to detect, analyze and mitigate intrusions.
Unlike other sectors, where phishing is the most common type of security incident reported to the United States Computer Emergency Readiness Team, the most common incident reported by the 25 largest departments and agencies, known as CFO Act Agencies, was a category labeled non-cyber. The government defines non-cyber as the leaking or mishandling of personally identifiable information that involve hard copies or printed materials, rather than digital records. Non-cyber represented more than one-quarter of reported incidents by large agencies. The most reported digital incident among large agencies, at nearly 20 percent, was policy violation.
As a comparison, policy violation accounted for 5.2 percent and non-cyber 6.7 percent of incidents reported to U.S. CERT in 2013.
Among smaller federal agencies, suspicious network activity was the most common reported security incident, at 22 percent, a category that's primarily used for incident reports and notifications created from Einstein traffic-flow monitoring and Einstein 2 intrusion detection systems data analyzed by U.S. CERT.