Agencies' security efforts stall, report says
Compliance with IT security requirements for executive branch agencies dropped slightly in the last fiscal year, highlighting the challenges of monitoring and hardening networks and systems in the face of increasing threats and decreasing budgets.
Agency FISMA compliance scores
Scores on a scale of 100
99 Nuclear Regulatory Commission
99 General Services Administration
99 Homeland Security
98 Social Security Administration
90 National Science Foundation
81 Veterans Affairs
77 Office of Personnel Management
77 Environmental Protection Agency
57 Small Business Administration
50 Health and Human Services
34 Department of Agriculture
* The score reflects a risk assessment by the OIG based on a limited number of attributes.
** DOD did not provide the answers with the detail required for scoring for FY2012.
Source: Fiscal year 2012 Report to Congress on the Implementation of the Federal Information Security Management Act of 2002
As the administration focuses on a handful of key capabilities to enhance federal cybersecurity, overall compliance with the Federal Information Security Management Act slipped from 75 percent in fiscal 2011 to 74 percent in 2012 according to the annual report from the Office of Management and Budget.
Performance varied widely among agencies and capabilities being measured, but most agencies could claim progress on meeting three top priorities identified in 2012: the Trusted Internet Connection (TIC) program, continuous monitoring and strong authentication. Even in these Cross Agency Priorities, however, improvement has been spotty.
FISMA lays out the basic security requirements for non-national security IT systems, including system monitoring, implementation of risk-based security controls and regular reporting. Specific standards and practices are defined by the National Institute of Standards and Technology, and metrics for evaluating compliance are spelled out annually by OPM.
“The federal information security defensive posture is a constantly moving target, shifting due to a relentless, dynamic-threat environment, emerging technologies, and new vulnerabilities,” OPM notes in the report. As a result, priorities shift from year to year and progress varies.
In 17 capabilities measured in the most recent report, nine showed improvement from the previous year, five moved down, one remained unchanged and two were not measured in fiscal 2011.
Two of the sharpest improvements reported were in TIC, with traffic consolidation up 16 points and intrusion detection and prevention capabilities up 12 points. But another priority area, the use of Personal Identity Verification (PIV) credentials for strong authentication when logging onto government systems, dropped by nine points.
As of Sept. 1, 2012, agencies reported that 96 percent of employees and contractors requiring PIV cards have received them. But the number of user accounts configured to required PIV cards for authentication dropped to 57 percent last year, down from 66 percent the year before. This was largely because of decreases at the Defense and Agriculture departments, the report said.
Requiring use of PIV cards for access control can be difficult because not only do legacy systems have to be upgraded to enable the use of smart cards, digital certificates and biometrics, but there also is a constant influx of new systems and devices, including personal mobile devices that must be accommodated.
NIST is in the process of revising the technical standards for PIV credentials, Federal Information Processing Standard 201, to address the integration of PIV with mobile devices. It also is working on a new Special Publication 800-157, “Guidelines for Personal Identity Verification (PIV) Derived Credentials,” which could be used with devices that traditionally do not have smart card readers.
Performance in continuous monitoring, the third cybersecurity priority, showed improvement in two areas: automated asset management and vulnerability management. But automated configuration management dropped from 78 percent in 2011 to 70 percent in 2012. The report blamed this shift on a sharp drop in DOD, from 95 percent to 53 percent, which it said was caused by a change in reporting criteria.
Although user training dropped by 11 points, from 99 percent to 88 percent, OMB said that agencies still are “generally meeting the annual requirements” for making IT users aware of security issues. But the report also showed that phishing attacks, which rely on social engineering, accounted for the large majority of security incidents reported to US-CERT last year. This type of attack puts a premium on user awareness, said Harry Sverdlove, CTO of the security company Bit9. “One of the best lines of defense against phishing is user training,” he said.
The Homeland Security Department, which has the nominal lead in ensuring FISMA compliance, conducted face-to-face CyberStat reviews with the Office of Personnel Management, U.S. Agency for International Development, the Agriculture, Justice, Transportation and Labor departments, and NASA last year. The top challenges named by these agencies in FISMA compliance were:
- Organizational culture.
- The need to upgrade legacy systems to support new capabilities.
- Distributed budget authority.
- Acquiring skilled staff.
- Financial resources.