Federal agencies are making progress toward achieving cyber security goals in three priority areas although overall, agencies are still short of meeting targeted metrics, the White House Office of Management Budget (OMB) said in a report last March 10.
The metrics contained in the Cross-Agency Priority (CAP) goals allow OMB to track how well agencies are complying with, and applying, standards set forth by the National Institute of Standards and Technology.
“The Cybersecurity CAP goal has already improved awareness of security practices, vulnerabilities, and threats to the operating environment by limiting access to only authorized users and implementing technologies and processes that reduce the risk from malicious activity,” said the 121-page report, Federal Information Security Modernization Act of 2014: Annual Report to Congress.
There are three priority areas in the Cybersecurity CAP goals: Information Security Continuous Monitoring Mitigation (ISCM); Identity, Credential, and Access Management (ICAM); and Anti-Phishing and Malware Defense.
For ISCM, which is about maintaining awareness of cyber threats and vulnerabilities, agencies in general increased compliance in three of four areas, software asset management, vulnerability management, and secure configuration management, while holding steady in the area of hardware asset management in FY ’16 versus FY ’15. However, the report says that in each area the metric target is 95 percent yet the implementation percentage across all agencies ranges from 61 percent for Hardware Asset Management to 92 percent for Secure Configuration Management.
Under the ICAM goal—which requires network users to adopt strong authentication to access computer networks and to limit users’ access to certain areas of networks—agencies showed progress in both goal metrics, Unprivileged User Personal Identity Verification (PIV) Implementation, and Privileged User PIV Implementation. In both areas more agencies are meeting the metric targets, 85 percent and 100 percent respectively, versus a year ago though overall agencies are still short of the targets.
More agencies are also meeting the CAP goal metrics in the Anti-Phishing and Malware Defense category, which has as its goal the implementation of “technologies, processes, and training that reduce the risk of compromise through email and malicious or compromised web sites,” the report said.
The report said that there were 30,889 cyber security incidents reported by federal agencies in FY ’16, with 16 meeting the threshold of a major incident. The Federal Deposit Insurance Corporation (FDIC) reported 10 major incidents, the Departments of Treasury, and Housing and Urban Development each reported two, and the Departments of Commerce, and Health and Human Services each reported one.
OMB said the major incidents at the FDIC in FY ’16 “generally stemmed from employees taking PII (Personally Identifiable Information) and other sensitive information on removable media in an unauthorized fashion.”
“During the year, Federal agencies made considerable progress in strengthening their defenses and enhancing their workforces to combat cyber threats,” the report said. “In particular, agencies worked to enforce the use of multi-factor Personal Identity Verification cards, with 81 percent of government users now using this credential to access Federal networks. Additionally, over 70 percent of Federal agencies have employed strong anti-phishing and malware capabilities to help safeguard their networks from malicious activity.”