Man repairing an exposed wall

Agencies' security efforts stall, report says

Compliance with IT security requirements for executive branch agencies dropped slightly in the last fiscal year, highlighting the challenges of monitoring and hardening networks and systems in the face of increasing threats and decreasing budgets.

Agency FISMA compliance scores

Dashboard icon pointing to FAIR

Scores on a scale of 100

99  Nuclear Regulatory Commission
99  General Services Administration
99  Homeland Security
98  Social Security Administration
94  Justice
92  NASA
92  Interior
90  National Science Foundation
82   Labor
81  Veterans Affairs
79  Education
77  Office of Personnel Management
77  Environmental Protection Agency
76  Treasury
72  Energy
66  USAID
66  HUD
61  Commerce*
57  Small Business Administration
53  Transportation
53  State
50  Health and Human Services
34  Department of Agriculture
NA  Defense**

* The score reflects a risk assessment by the OIG based on a limited number of attributes.

** DOD did not provide the answers with the detail required for scoring for FY2012.

Source: Fiscal year 2012 Report to Congress on the Implementation of the Federal Information Security Management Act of 2002

As the administration focuses on a handful of key capabilities to enhance federal cybersecurity, overall compliance with the Federal Information Security Management Act slipped from 75 percent in fiscal 2011 to 74 percent in 2012 according to the annual report from the Office of Management and Budget.

Performance varied widely among agencies and capabilities being measured, but most agencies could claim progress on meeting three top priorities identified in 2012: the Trusted Internet Connection (TIC) program, continuous monitoring and strong authentication. Even in these Cross Agency Priorities, however, improvement has been spotty.

FISMA lays out the basic security requirements for non-national security IT systems, including system monitoring, implementation of risk-based security controls and regular reporting. Specific standards and practices are defined by the National Institute of Standards and Technology, and metrics for evaluating compliance are spelled out annually by OPM.

“The federal information security defensive posture is a constantly moving target, shifting due to a relentless, dynamic-threat environment, emerging technologies, and new vulnerabilities,” OPM notes in the report. As a result, priorities shift from year to year and progress varies.

In 17 capabilities measured in the most recent report, nine showed improvement from the previous year, five moved down, one remained unchanged and two were not measured in fiscal 2011.

Two of the sharpest improvements reported were in TIC, with traffic consolidation up 16 points and intrusion detection and prevention capabilities up 12 points. But another priority area, the use of Personal Identity Verification (PIV) credentials for strong authentication when logging onto government systems, dropped by nine points.

As of Sept. 1, 2012, agencies reported that 96 percent of employees and contractors requiring PIV cards have received them. But the number of user accounts configured to required PIV cards for authentication dropped to 57 percent last year, down from 66 percent the year before. This was largely because of decreases at the Defense and Agriculture departments, the report said.

Requiring use of PIV cards for access control can be difficult because not only do legacy systems have to be upgraded to enable the use of smart cards, digital certificates and biometrics, but there also is a constant influx of new systems and devices, including personal mobile devices that must be accommodated.

NIST is in the process of revising the technical standards for PIV credentials, Federal Information Processing Standard 201, to address the integration of PIV with mobile devices. It also is working on a new Special Publication 800-157, “Guidelines for Personal Identity Verification (PIV) Derived Credentials,” which could be used with devices that traditionally do not have smart card readers.

Performance in continuous monitoring, the third cybersecurity priority, showed improvement in two areas: automated asset management and vulnerability management. But automated configuration management dropped from 78 percent in 2011 to 70 percent in 2012. The report blamed this shift on a sharp drop in DOD, from 95 percent to 53 percent, which it said was caused by a change in reporting criteria.

Although user training dropped by 11 points, from 99 percent to 88 percent, OMB said that agencies still are “generally meeting the annual requirements” for making IT users aware of security issues. But the report also showed that phishing attacks, which rely on social engineering, accounted for the large majority of security incidents reported to US-CERT last year. This type of attack puts a premium on user awareness, said Harry Sverdlove, CTO of the security company Bit9. “One of the best lines of defense against phishing is user training,” he said.

The Homeland Security Department, which has the nominal lead in ensuring FISMA compliance, conducted face-to-face CyberStat reviews with the Office of Personnel Management, U.S. Agency for International Development, the Agriculture, Justice, Transportation and Labor departments, and NASA last year. The top challenges named by these agencies in FISMA compliance were:

  • Organizational culture.
  • The need to upgrade legacy systems to support new capabilities.
  • Distributed budget authority.
  • Acquiring skilled staff.
  • Financial resources.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above