Agencies improving security of IT networks slowly, but surely

Monday - 6/10/2013, 5:26am EDT

Andy Ozment, senior director for cybersecurity, Executive Office of the President

Download mp3

The pressure on agencies to improve their cybersecurity already is paying off.

White House cybersecurity officials say the government saw significant improvements across all three cross-agency cybersecurity goals in the six months since they were established.

Those goals include implementing continuous monitoring, strengthening Internet gateways through the Trusted Internet Connections Initiative and using two-factor authentication to log on to federal networks under Homeland Security Presidential Directive-12 (HSPD-12).

The White House updated agency progress in meeting those three cybersecurity goals on the Peformance.gov website.

"This quarter, combining all three goals, we've increased by 5 percent in a single quarter so our overall score is 81 percent," said Andy Ozment, the senior director for cybersecurity in the Executive Office of the President, in an exclusive interview with Federal News Radio. "The cybersecurity goals combine three priorities and our goal is in two years to hit 95 percent. We take these three priorities, we weight them in different ways and we combine them into one number, so that 81 percent represents the progress when you add all the agencies up. It's not 81 percent of the agencies are getting to that goal, but when you add all the agencies up they've implemented 81 percent of this across the government."

Agencies started out with a score of 76.8 percent in the fourth quarter of fiscal 2012. It dropped to 75.8 percent during the first quarter of 2013.

The White House's goal by the end of 2014 is to get the government to 93.2 percent across all three cross-agency goals.

HSPD-12 up by 14 percent

The biggest reason for the increase was the implementation of two-factor authentication. Ozment said the implementation of HSPD-12 jumped 14 percentage points to 67.2 percent.

The summary on Performance.gov stated most of the increase is due to the Defense Department, which made logging on to the network using the common access card (CAC) a requirement in 2006. But when DoD is removed from the equation, the administration said two-factor authentication implementation grew by almost 3 percent last quarter.

Ozment said it's a matter of getting the technology pieces in place and many agencies are starting to do that.

The summary stated the Education Department saw the biggest increase in using HSPD-12 cards, while the General Services Administration, the State Department and the Office of Personnel Management saw significant decreases from their results in the first quarter of 2013.

Eight agencies, including the departments of Housing and Urban Development, Transportation and Labor, made no progress and still do not require the smart cards for network access.

"DoD alone causes the USG to reach the FY2014 minimum target for PIV," the summary stated. "This may take away the urgency from other agencies to accelerate their progress towards the CAP goal."

Agencies made less dramatic progress on continuous monitoring, and consolidating and protecting Internet gateways under TIC, but still moved the needle in the right direction.

Configuration management increases the most

Ozment said agencies increased continuous monitoring by 5 percent to just under 84 percent last quarter.

A senior administration official said the percentage refers to the fact that 84 percent of all IT assets that can be continuously monitored are being watched in real or near real-time. The official said typically hardware such as servers, work stations and mobile devices, fall under continuous monitoring, but other technologies such as USB drives and static devices can't be or don't have to be continuously monitored.

The White House stated 20 agencies reached the minimum target of 80 percent for automated asset management — one part of continuous monitoring, while, 11 reached or exceeded the goal of 95 percent.

Across the government, automated asset management rose 2.2 percent, while automated vulnerability management rose 2.1 percent and automated configuration management rose 11.2 percent.

The departments of Agriculture and Energy, and the Social Security Administration saw the biggest jumps last quarter.

Transportation, the National Science Foundation and the Department of Commerce suffered the biggest drops in quarter over quarter comparisons.

Under the TIC initiative, Ozment said agencies achieved 85.3 percent in terms of the capabilities they are implementing.

He said the TIC consolidation program requires a lot of discovery and agencies are finding Internet gateways they didn't know existed. The Homeland Security Department is one such agency that found previously unknown Internet connections.

The White House said 18 of the 23 CFO Act agencies achieved a minimum target of consolidating 80 percent of their gateways, and 16 reached the goal of 95 percent.