Federal agencies remain woefully behind on cybersecurity, according to the annual cybersecurity compliance report released Friday by the Office of Management and Budget.
During the 2015 fiscal year, Federal agencies reported 77,183 cybersecurity incidents, a 10% increase over the incidents reported in 2014. Though the administration believes this increase may be attributed to improved detection systems, much of the report found that Federal agencies were deficient in many areas of cybersecurity.
The annual report to Congress on agency compliance with the Federal Information Security Modernization Act of 2014, known as FISMA, found that 15 of 24 major agencies had Information Security Continuous Monitoring (ISCM) at an Ad Hoc level, meaning that their security systems were purely reactive and without a formalized plan for cyber-attacks. The Inspectors General report also identified several performance areas in need of improvement, including configuration management, identity and access management, and risk management practices.
According to the report, agencies scored an average of 72 percent in ability to detect unauthorized hardware, 74 percent in anti-phishing defenses, and 52 percent in ICSM vulnerability management capabilities.
Not included in the report, but prevalent in the public consciousness, is the 2013 OPM hack, which exposed 22 million Federal employees’ personal information in 2015.
In light of the many cybersecurity deficiencies, the Federal chief information officer launched a 30-day cyber sprint across agencies in June 2015, which was designed to rapidly improve their cybersecurity practices. This sprint accounts for many of the security advances included in the report, such as improving the use of Personal Identity Verification (PIV) cards from 42% to 72%. The required use of these cards helps to secure who is accessing an agency network.
Since the closing date of the report, November 2015, the Federal government has placed an emphasis on cybersecurity. In February 2016, the Administration announced the Cybersecurity National Action Plan (CNAP), which directs the Federal government to take actions that will dramatically increase the level of cybersecurity in the Federal government. Alongside this, President Obama’s proposed 2017 budget would include $19 billion to improve Federal IT security, such as replacing severely outdated IT systems.
However, many of the proposed improvements contained within CNAP and the President’s 2017 budget rely on uncertain, external factors. For example, the 2017 budget proposal must be accepted by Congress. And Federal agencies already lack the breadth of IT personnel needed to initiate significant change. The report admits to this severe lack of cybersecurity professionals, stating, “There are a number of existing Federal initiatives to address this challenge, but implementation and awareness of these programs is inconsistent.”
As many of the suggested fixes for Federal cybersecurity are only in their beginning stages, it is impossible to say whether the findings in the OMB report will turn more favorable in the coming year.