Fourteen of 24 federal agencies met the Office of Management and Budget’s (OMB) authentication goals during a directed 30-day cybersecurity sprint, the White House said Friday.
Following the Office of Personnel Management (OPM) hacks (Defense Daily, June 17), OMB launched the sprint “to immediately take a number of steps to further protect federal information and assets and improve the resilience of federal networks,” the original fact sheet said.
As part of the sprint, OMB directed agencies to immediately patch critical vulnerabilities, review and tightly limit the number of privileged users with access to authorized systems and drastically increase the use of strong authentication, especially for privileged users.
The 14 agencies met or exceeded a target of having 75 percent of all users of a federal network utilize strong authentication. Implementing strong authentication involves required use of a hardware-based personal identity verification (PIV) card or alternate form of strong multi-factor authentication. Under multi-factor authentication, a user must verify their identity using the personal card or a unique one time code in addition to traditional login procedures.
“Over the course of the sprint, agencies made significant progress in this area,” Tony Scott, the U.S. chief information officer (CIO), said in a White House blog post announcing the results.
According to the performance.gov progress website, the agencies that passed the target include the General Services Administration (GSA), OPM, National Science Foundation, Social Security Administration, Environmental Protection Agency, Nuclear Regulatory Commission (NRC), as well as the departments of Homeland Security (DHS), Treasury, Transportation (DOT), Interior, Commerce, Health and Human Services and Defense.
OPM was one of the top performers, with 97 percent of all users and 100 percent of privileged users using strong authentication. GSA, DHS, and DOT also had more than 90 percent of all users using strong authentication. Twelve of the 14 agencies that met the goal now have over 90 percent of privileged users using strong authentication. The other two agencies, the Department of Defense at 58 percent and NRC at 84 percent, still improved significantly.
The White House said the overall results represent a 30 percent increase since the previous quarter’s data, from 42 to 72 percent. Authentication for privileged users increased over 40 percent from an average of 33 percent to almost 75 percent.
The departments of Justice and State were surprisingly low on the list. Both increased their share of privileged users using strong authentication, increasing from 26 to 83 percent and 21 to 76 percent, respectively.
The worst performer listed, on all measures, was the Department of Energy. Privileged user authentication increased only five percent to 13 percent at the end of the sprint and unprivileged user authentication actually went down from 34 to 11 percent.
Although this overall improvement is encouraging, the government plans more work on this front.
“The work of addressing cyber risks is never done. Agencies are reducing the number of privileged users and working with DHS to scan their networks on an ongoing basis for known critical vulnerabilities,” Scott said.
Scott highlighted that “to accelerate and amplify the work and objectives of the sprint, a team of over 100 experts from across the government and private industry are now leading a review of the federal government’s cybersecurity policies, procedures, and practices.”
The team’s assessment will inform action plans and strategies to further address cybersecurity priorities and recommend a cybersecurity sprint strategy and implementation plan, which will be released in the coming months, Scott said.
He also emphasized the White House needs help from Congress because “decades of underfunding and years of uncertainty in budgets and resourcing for strategic and critical IT capabilities like cybersecurity have contributed to the current unsustainable state of the federal government’s networks.”