Shows & Panels
- The 2014 Big Picture on Cyber Security
- AFCEA Answers
- Ask the CIO
- Building the Hybrid Cloud
- Connected Government: How to Build and Procure Network Services for the Future
- Continuing Diagnostics and Mitigation: Discussion of Progress and Next Steps
- Federal Executive Forum
- Federal Tech Talk
- The Intersection: Where Technology Meets Transformation
- Maximizing ROI Through Data Center Consolidation
- Moving to the Cloud. What's the best approach for me
- Navigating Tough Choices in Government Cloud Computing
- The New Generation of Database
- Satellite Communications: Acquiring SATCOM in Tight Times
- Targeting Advanced Threats: Proven Methods from Detection through Remediation
- Transformative Technology: Desktop Virtualization in Government
- The Truth About IT Opex and Software Defined Networking
- Value of Health IT
Shows & Panels
The Obama administration has set new cross-agency priority goals for managing government as part of its 2015 budget. Federal News Radio examines the eight areas identified by the White House: people and culture, customer delivery, strategic sourcing, smarter IT delivery, shared services, open data, lab-to-market, and benchmark and improve mission-support operations.
Agencies reset after missing the mark on cybersecurity goals
Monday - 7/14/2014, 2:52pm EDT
Special to Federal News Radio
Despite steps forward, agencies fell short of their 2014 targets for cybersecurity. The Obama administration is pushing chief information officers to focus on priorities of continuous monitoring, phishing and malware, and authorization processes for 2015, according to the newly released cross-agency priority goals on Performance.gov.
The administration continues encouraging agencies to implement information security continuous monitoring mitigation (ISCM), which continually evaluates agency cybersecurity processes and practices, according to the report. This goal carries over from last year, where agencies saw an increase in real-time awareness that enabled them to manage risks more effectively. Despite this improvement, the administration wants more cybersecurity evaluation.
"Moving forward, with the benefit of improved specificity and guidance, the meaningful measurement of continuous monitoring must include both the constituent capabilities specified by ISCM/CDM, but must also look at the degree of implementation and the alignment between policy, processes and tools," the report states.
In addition to ensuring agencies implement continuous monitoring, the report emphasizes the need for officials to stop the evolving, modern tactics of cyber hackers. Reported cyber incidents increased by 24 percent since 2012, according to the progress update, which is why the administration is calling on agencies to prioritize the strengthening of their phishing and malware defenses.
"Advances in anti-phishing measures have caused attackers to increase the sophistication of their techniques to bypass detection. The frequency and sophistication of phishing attacks have increased, and spyware has proven to be difficult to detect and remove," the report explains.
Finally, agencies are being asked to continue improving authorization processes through personal identity verification (PIV). However, 2015 goals will no longer include Trusted Internet Connections (TIC) priorities because the "implementation issues are well understood and mechanism and resources are in place for monitoring and supporting the TIC directive."
The administration saw many agencies adopt PIV over the past year, but only for a "passing" grade. According to the report, officials will use more metrics on the implementation and maturity of PIV systems to promote more use across agencies.
Although the 2014 TIC priority will not carry over, the report states that the administration is encouraging agencies to transition to EINSTEIN 3 Accelerated programs to keep unwanted users off agency networks.
The administration says chief information officers should be leading agency efforts to improve cybersecurity and they should be supported by chief performance improvement officers. PIOs should help CIOs by making cybersecurity data and metrics transparent, reaching out to other offices for CIO support, and helping program leaders promote healthy cybersecurity practices and responsibility.
"A CIO must be empowered with executive leadership support, authority and resources to direct agency activity to successfully implement these priorities and make progress," the report states.
Before reaching these goals, CIOs and PIOs must first fully adopt the Federal Information Security Management Act (FISMA) requirements, according to the Performance.gov update. This would help agencies better monitor their cybersecurity practices and progress. FISMA also gives agency chief information officers the responsibility of enforcing information security compliance.
Despite an overall increase of 2.82 percent in cybersecurity capabilities over the past year, the most recent FISMA metrics fell just about 10 percent short of FY 2014 targets, according to the cross-agency priority goals update. FISMA results included a 4.45 percent increase in continuous monitoring, but also a drop in strong authentication by 3.8 percent.
For the remainder of this fiscal year, the Department of Homeland Security's Federal Network Resilience will evaluate cybersecurity metrics from across agencies in order to establish achievable goals for the following few years, the report stated.
"After developing a comprehensive set of metrics for each priority area, DHS will develop a factored scoring scheme, applying a weighted score to each individual factor. The factors will be identified through consultation with government and industry partners and validated through interagency working groups," the CAP report stated.
Stephanie Wasko is an intern with Federal News Radio.