Agencies still struggling to encrypt mobile devices

Monday - 3/21/2011, 7:27am EDT

WFED's Jason Miller

Click below to hear the report on the Federal Drive

Download mp3

By Jason Miller
Executive Editor
Federal News Radio

In the four years since the Office of Management and Budget mandated all laptops and mobile devices be encrypted, only 54 percent of those devices meet the directive.

In the wake of the Veterans Affairs Department losing a laptop with records of 26 million veterans, OMB issued a memo in June 2006 requiring agencies to meet four goals, including encrypting "all data on mobile computers/devices which carry agency data unless the data is determined to be non-sensitive, in writing, by your deputy secretary or an individual he/she may designate in writing and allow remote access only with two-factor authentication where one of the factors is provided by a device separate from the computer gaining access."

OMB's fiscal 2010 Federal Information Security Management report to Congress found just over half of all mobile devices meet the National Institute of Standards and Technology's Federal Information Processing Standards-140-2 encryption standard.

The report stated 17 agencies have encrypted at least 75 percent of their mobile devices. Four agencies, however, have less than 25 percent, including two with less than three percent.

Agencies also have not met the requirement to implement two-factor authentication. The report stated that while 79 percent of employees who required secure smart cards under Homeland Security Presidential Directive-12 have them, 22 of 24 large agencies are not making progress in using them.

The document found that two agencies reported more than 80 percent of their user accounts require secure smart cards to log on to their networks. The rest of the agencies require less than four percent of their employees to use HSPD-12 cards for network access.

OMB stated that 55 percent of all employee accounts required smartcards to log on to the network.

OMB didn't provide the specific statistics for individual agencies in much of the report.

Overall, OMB reported that agency cybersecurity is improving across the board because agencies are moving toward continuous monitoring of their systems.

"To provide for more effective security at a lower cost, we have shifted the cybersecurity policy of the federal government from old-style, paper-based reports to continuous monitoring; launched a centralized platform run by the Department of Homeland Security for meaningful and actionable insight into agency cybersecurity postures governmentwide; and directed agencies to fund tools to support continuous monitoring and improve incident response," said Vivek Kundra, federal chief information officer, in an e-mail comment. "But monitoring systems alone is not sufficient. That is why the Department of Homeland Security launched CyberStat - face-to-face, evidence-based accountability sessions - to advance agency cybersecurity postures."

DHS launched CyberStat in 2011 based on the TechStat concept, where OMB brings all the key players together to address a poorly performing project.

"These meetings will bring agency leadership together to examine the metrics reported through Cyberscope and develop in-depth remediation plans to quickly address any issue," the report stated. "Through CyberStats, DHS will also be able to evolve security metrics and assist agencies to enhance data quality and completeness. Combining CyberScope and CyberStat together, this approach gives agencies information they have never had before about risks to their information and information systems; it also allows DHS to examine and correlate the data on risks across the entire federal enterprise and to provide such knowledge back to agencies."

OMB set a deadline of the end of 2012 for agencies to have continuous monitoring in place in this year's budget passback.

It seems agencies can't implement continuous monitoring quick enough. OMB reports that agencies saw a 39 percent increase in cyber attacks in 2010 compared to 2009. According to DHS's U.S. Computer Emergency and Response Team (CERT), agencies faced for more than 41,000 cyber incidents in 2010, up from 30,000 in 2009.

"Malicious code through multiple means (e.g., phishing, virus, logic bomb) continues to be the most widely used attack approach," the report stated.

CERT reported that attacks through malicious codes accounted for 31 percent of all attacks against federal agencies.

"The federal government continued to sponsor research and development of an Insider Threat assessment methodology and corresponding mitigation strategies through the US-CERT Insider Threat Center," the report stated. "This allows for ongoing case collection and analysis, development of a scalable, repeatable insider threat vulnerability assessment method, creation of a training and certification program, and development of new insider threat controls in the CERT Insider Threat Lab. Mitigating the malicious insider remains a significant challenge and requires the composite application of several tactics and capabilities that build one upon the other. The CERT Insider Threat Center has accelerated, and will facilitate, the identification and adoption of future insider threat controls through FISMA."