Federal agency cyber security remains woefully in arrears according to this annual cyber security compliance report
Federal Agency Cyber Security needs to Catch-Up with the times. Shamefully Federal agencies cyber security remains behind. According to the annual cyber security compliance report released by the Office of Management and Budget.
During 2015, Federal agency cyber security incidents reported over 77K – a 10% increase over the incidents reported in 2014. Though the administration believes this increase may be attributed to improved detection systems, much of the report found that Federal agencies were deficient in many areas of cyber security.
The annual report to Congress on agency compliance with the Federal Information Security Modernization Act of 2014, known as FISMA, found that 15 of 24 major agencies had Information Security Continuous Monitoring (ISCM) at an Ad Hoc level, meaning that their security systems were purely reactive and without a formalized plan for cyber-attacks. The Inspectors General report also identified several performance areas in need of improvement, including configuration management, identity and access management, and risk management practices.
The Feds scored an average of 72% in ability to detect unauthorized hardware, 74% in anti-phishing defenses, and 52% percent in ICSM vulnerability management capabilities. (Just to note, in the 2013 OPM hack, 22 million Federal employees’ personal information was exposed).
There were of course security advances included in the report, such as improving the use of Personal Identity Verification (PIV) cards from 42% to 72%. The required use of these cards helps to secure who is accessing an agency network. Since the closing date of the report, November 2015, the Federal government has placed an emphasis on cyber security. In February 2016, the Administration announced the Cyber security National Action Plan (CNAP), which directs the Federal government to take actions that will dramatically increase the level of cyber security in the Federal government. Alongside this, President Obama’s proposed 2017 budget would include $19 billion to improve Federal IT security, such as replacing severely outdated IT systems. (here)
The report admits to a severe lack of cyber security professionals, stating, “There are a number of existing Federal initiatives to address this challenge, but implementation and awareness of these programs is inconsistent.” As many of the suggested fixes for Federal cyber security are only in their beginning stages, it is impossible to say whether the findings in the OMB report will turn more favorable in the coming year.