A number of improvements have been and are continuing to be made to boost the cyber security posture of several federal agencies and departments following the 2015 disclosure of a major data breach at the Office of Personnel Management (OPM), top information technology officials at these agencies told a House panel on Nov. 16.
At the Department of Agriculture the initial deployment of the Department of Homeland Security’s most advanced cyber threat detection and prevention capability, EINSTEIN 3 Accelerated (E3A), has been completed and is on track to complete installation of more of the cyber security platform’s capabilities in time to meet December deadlines outlined by DHS, Jonathan Alboum, chief information officer (CIO) at the Agriculture Department, told the House Oversight and Government Reform Subcommittee on Information Technology.
Alboum also said that he has made the deployment of the DHS Continuous Diagnostics and Mitigation (CDM) tools a “priority” at his department, and is in the process of implementing the Phase 1 capabilities of the program. The initial phase of CDM provides tools for agencies and departments to better understand what is on their networks, where vulnerabilities might be, and what needs to be modernized.
NASA is also deploying E3A across its organization although the deployment has encountered some challenges at some of its centers, Renee Wynn, the agency’s CIO, said in her prepared remarks for the panel. She stated the agency is working with DHS to “resolve technical issues and enable NASA to meet the Dec. 18, 2016 deadline for full deployment.”
NASA has begun initial operations with the first phase of CDM at Kennedy Space Center where it expects to generate lessons learned before rolling out these cyber security tools across the agency, Wynn said.
The Social Security Administration (SSA) completed deployment of E3A in March and is on schedule to deploy the first phase of CDM in December, Robert Klopp, the agency’s CIO, told the subcommittee.
Klopp said that there is a constant process of “discovery and remediation” when it comes to strengthening his agency’s cyber security posture, adding that DHS has twice come to SSA to evaluate its high value assets and has made 16 recommendations and highlighted two critical items, one being a vulnerability. He said eight of the items, including the two critical ones, have been resolved.
No new critical vulnerabilities have been found, Klopp said, noting that DHS conducts weekly cyber hygiene scans of his agencies networks.
In the wake of the OPM breach, the Obama administration instituted a federal-wide cyber sprint aimed at taking and identifying steps to bolster the cyber security of agencies. One of the outcomes was requiring agency personnel to used Personal Identity Verification (PIV) cards or some form of multi-factor authentication to logon and navigate their computer networks.
Klopp said that 100 percent of SSA’s privileged users are using PIV cards in addition to passwords. He added that 98 percent of unprivileged users are using PIV cards. The remaining unprivileged users without PIV cards are state employees and SSA is negotiating with the states and employee unions to close this gap.
Alboum said that 96 percent of Agriculture’s privileged users are using PIV cards and 100 percent are either using PIV cards or some form of multifactor authentication, while 92 percent of unprivileged users are using the cards. He said achieving 100 percent deployment of PIV cards is a challenge because of employee turnover and the time it takes to go through the process of getting the cards, adding that the goal is to “dramatically decrease” this time.
NASA’s Wynn said 100 percent of her agency’s privileged users have PIV cards but NASA is still sorting out which unprivileged users need the cards. She said the agency’s new Chief Information Security Officer is working this issue and the “universe” of who needs a PIV card will be changing so there will be a reported dip in FY ’16 in the percent of employees with the cards that are required to have them. She said there will be “significant progress” throughout FY ’17 and that early in 2018 NASA will be at 100 percent.
Alboum also said that his department is working with the Pentagon’s Defense Advanced Research Project Agency to pilot “Big Data” technologies that analyze trends and anomalies related to security data.
“As positive results are demonstrated, USDA will explore the potential for a department-wide rollout of these tools,” Alboum said.
The Agriculture Department’s Security Operations Center has begun to use “Big Data” tools in furthering its cyber security posture, Alboum said. The combination of EINSTEIN, CDM and the SOC position the department “to proactively detect, prevent and mitigate cyber attacks,” he said.