Agencies reset after missing the mark on cybersecurity goals

Monday - 7/14/2014, 2:52pm EDT

By Stephanie Wasko
Special to Federal News Radio

Despite steps forward, agencies fell short of their 2014 targets for cybersecurity. The Obama administration is pushing chief information officers to focus on priorities of continuous monitoring, phishing and malware, and authorization processes for 2015, according to the newly released cross-agency priority goals on Performance.gov.

The administration continues encouraging agencies to implement information security continuous monitoring mitigation (ISCM), which continually evaluates agency cybersecurity processes and practices, according to the report. This goal carries over from last year, where agencies saw an increase in real-time awareness that enabled them to manage risks more effectively. Despite this improvement, the administration wants more cybersecurity evaluation.

"Moving forward, with the benefit of improved specificity and guidance, the meaningful measurement of continuous monitoring must include both the constituent capabilities specified by ISCM/CDM, but must also look at the degree of implementation and the alignment between policy, processes and tools," the report states.

In addition to ensuring agencies implement continuous monitoring, the report emphasizes the need for officials to stop the evolving, modern tactics of cyber hackers. Reported cyber incidents increased by 24 percent since 2012, according to the progress update, which is why the administration is calling on agencies to prioritize the strengthening of their phishing and malware defenses.

"Advances in anti-phishing measures have caused attackers to increase the sophistication of their techniques to bypass detection. The frequency and sophistication of phishing attacks have increased, and spyware has proven to be difficult to detect and remove," the report explains.

Finally, agencies are being asked to continue improving authorization processes through personal identity verification (PIV). However, 2015 goals will no longer include Trusted Internet Connections (TIC) priorities because the "implementation issues are well understood and mechanism and resources are in place for monitoring and supporting the TIC directive."

The administration saw many agencies adopt PIV over the past year, but only for a "passing" grade. According to the report, officials will use more metrics on the implementation and maturity of PIV systems to promote more use across agencies.

Although the 2014 TIC priority will not carry over, the report states that the administration is encouraging agencies to transition to EINSTEIN 3 Accelerated programs to keep unwanted users off agency networks.

The administration says chief information officers should be leading agency efforts to improve cybersecurity and they should be supported by chief performance improvement officers. PIOs should help CIOs by making cybersecurity data and metrics transparent, reaching out to other offices for CIO support, and helping program leaders promote healthy cybersecurity practices and responsibility.

"A CIO must be empowered with executive leadership support, authority and resources to direct agency activity to successfully implement these priorities and make progress," the report states.

Before reaching these goals, CIOs and PIOs must first fully adopt the Federal Information Security Management Act (FISMA) requirements, according to the Performance.gov update. This would help agencies better monitor their cybersecurity practices and progress. FISMA also gives agency chief information officers the responsibility of enforcing information security compliance.

Despite an overall increase of 2.82 percent in cybersecurity capabilities over the past year, the most recent FISMA metrics fell just about 10 percent short of FY 2014 targets, according to the cross-agency priority goals update. FISMA results included a 4.45 percent increase in continuous monitoring, but also a drop in strong authentication by 3.8 percent.

For the remainder of this fiscal year, the Department of Homeland Security's Federal Network Resilience will evaluate cybersecurity metrics from across agencies in order to establish achievable goals for the following few years, the report stated.

"After developing a comprehensive set of metrics for each priority area, DHS will develop a factored scoring scheme, applying a weighted score to each individual factor. The factors will be identified through consultation with government and industry partners and validated through interagency working groups," the CAP report stated.

Stephanie Wasko is an intern with Federal News Radio.

RELATED STORIES:

NIST tells agencies how to get ready for continuous monitoring

Senate's version of FISMA update cleans up around cyber edges