OMB: Agencies Improving IT Security

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.databreachtoday.com/omb-agencies-improving-security-a-6817

As the number of cybersecurity incidents increase, departments and agencies
are doing a better job of complying with the law that governs IT security
in the U.S. federal government, a new report to Congress from the White
House says.

In its annual Federal Information Security Management Act report to
Congress, the Office of Management and Budget describes how federal
agencies did better in implementing security programs in fiscal 2013, which
ended last Sept. 30, than they did the previous year.

Beth Cobert, OMB deputy director for management, says the report notes
progress federal agencies made in key areas of information security. "OMB
continues to work with agencies to fulfill the requirements of FISMA and
implementing increasingly resilient information technology security and
privacy management programs," Cobert says in a letter to the chairmen of
congressional committees with IT security oversight.

"While the sophistication and diversity of threats to government systems
and information continue to increase, departments and agencies are
demonstrating progress in implementing solutions designed to mitigate their
risk," the report says.

In 2012, government agencies, on average, met 73 percent of the FISMA
requirements. That percentage rose to 81 percent last year, with
significant improvements in adoption of automated configuration management,
remote access and e-mail encryption.

Compliance with cross-agency performance goal strategies saw similar
improvements, with average agency compliance rising from 77 percent in 2012
to 81 percent in 2013. CAP goals include trusted internet connections,
continuous monitoring and strong authentication.

Three Comprehensive Initiatives

OMB tells Congress that the federal government has undertaken three
comprehensive initiatives to ensure the continued safety of federal
systems, including protecting existing information and information systems,
supporting the safe and secure adoption of emerging technology and building
a sophisticated information security workforce.

"The federal government has made it a priority to protect systems and
information from threats like malicious code attacks through the
utilization of both technical capabilities and cooperative frameworks," the
report says. "As the government expands upon these capabilities, it must
remain cognizant of supporting the adoption of emerging technologies in a
secure manner to reduce the threat of compromising sensitive information."

OMB says the government will require a strong information security
workforce that's able to operate in an increasingly complicated digital
environment. "While threats to federal systems and information will
continue to evolve, utilizing the three-pronged approach ... will ensure
that federal capabilities will evolve as well," the report says.

As part of the trusted Internet connection initiative, the government has
deployed the intrusion prevention system known as Einstein 3 Accelerated,
which OMB says is focused on countermeasures to address 85 percent of the
cybersecurity threats targeted at executive branch civilian agencies.

OMB, in the report, also points out that the National Institute of
Standards and Technology is developing new guidance aimed at increasing
information security by providing alternative authentication solutions for
mobile devices and other end-user devices when the use of a personal
identity verification card for network access would be impractical.

Trusted Identities

In support of the government's National Security for Trusted Identities in
Cyberspace and Identity, Credential and Access Management initiatives, OMB
says several agencies are working with the Postal Service and General
Services Administration in piloting a federal cloud credential exchange
initiative that should soon go live. The pilot will test a secure,
privacy-enhancing and interoperable mechanism for government applications
to accept federally approved, externally issued credentials, according to
OMB.

The report discloses that federal agencies spent more than $10 billion on
IT security in fiscal 2013, including $4.1 billion to improve the
effectiveness of cybersecurity efforts, $3.6 billion to prevent malicious
cyber-activity and $2.7 billion to detect, analyze and mitigate intrusions.

Unlike other sectors, where phishing is the most common type of security
incident reported to the United States Computer Emergency Readiness Team,
the most common incident reported by the 25 largest departments and
agencies, known as CFO Act Agencies, was a category labeled non-cyber. The
government defines non-cyber as the leaking or mishandling of personally
identifiable information that involve hard copies or printed materials,
rather than digital records. Non-cyber represented more than one-quarter of
reported incidents by large agencies. The most reported digital incident
among large agencies, at nearly 20 percent, was policy violation.

As a comparison, policy violation accounted for 5.2 percent and non-cyber
6.7 percent of incidents reported to U.S. CERT in 2013.

Among smaller federal agencies, suspicious network activity was the most
common reported security incident, at 22 percent, a category that's
primarily used for incident reports and notifications created from Einstein
traffic-flow monitoring and Einstein 2 intrusion detection systems data
analyzed by U.S. CERT.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!