If the sheer volume of initiatives ensured cybersecurity, then the federal government would be one of the tightest entities in the world. Last week’s annual report on Federal Information Security Management Act (FISMA) compliance is a paean to the many efforts underway by the Office of Management and Budget.
- Movement by agencies to institute continuous network monitoring. This is based on the latest National Institute of Standards and Technology’s risk assessment framework.
- Initiation of CyberStat review sessions to follow on to the Cyberscope reporting system, which captures three channels of information.
- Establishment of strategic sourcing agreements for cybersecurity products and services.
- Launching of the National Initiative for Cyber Education.
The picture OMB is trying to paint is best summed up in this sentence from the report: “In the past few years, the Federal government as a whole has begun to harness these techniques developed by forward-thinking agencies – as well as industry best practices – to move FISMA implementation toward the real-time detection and mitigation of security vulnerabilities.”
So how are agencies doing? From this report it is possible only to tell how agencies are doing in aggregate. OMB has removed specific agency names associated with each metric. For example, that agencies A, B, C, and D have 100 percent of their IT assets set up for automated inventorying. But Agency X has only 22 percent. Similarly, agencies are supposed to have their end points encrypted. Only half of the government’s portable computers are encrypted on average. Agencies H, C, L, O, Q, and T are 100 percent encrypted. Agency F only 2 percent and Agency D 1 percent.
It seems like a little more transparency could give readers of the report more insight into where attention is needed for the various security metrics.
I think OMB could actually take a bit more credit for security than it does, though. Relying on figures from the U.S. Computer Emergency Readiness Team (US-CERT), OMB reports that about 42,000 (OMB states “approximately 41,776”) of 107,000 reports to US-CERT were federal, the rest reported by state and local agencies. Only 23 instances of denial-of-service occurred. Malicious code represented the most attacks.
In terms of attack vectors, phishing e-mail is the preferred hacker methodology, suggesting a little training could go a long way.
Nevertheless, the perennial problems persist. Deep into the report is where we learn that all of the 24 CFO Act agencies had so-called plans of action and milestones to record weaknesses identified via tests, audits and continuous monitoring. But 16 agencies’ POA&Ms need “significant” improvement because either they don’t capture all of the weaknesses or the remediation procedures are inadequate. This information comes from inspectors general findings.
The IGs were less than impressed with agency continuous monitoring. In fact, OMB states, “agencies’ continuous monitoring programs needed the most improvement of any area programs.”
The Federal Insider talks cybersecurity
IGs also report:
- Identity management is a fully developed function in only five of the 24 CFO Act agencies.
- Contingency plans are up to snuff in only eight agencies.
- Contractor oversight is adequate in six of the 24.
Interesting that FISMA is much maligned because of its purported emphasis on compliance reporting as opposed to real world repair of cybersecurity weaknesses. Yet the annual FISMA report is effective at showing precisely where vulnerabilities exist. And there’s nothing in FISMA stopping agencies from making the necessary improvements.