Federal Agencies Slipping on Cyber Hygiene

identity management-min

A new report released today from One Identity found that Federal agencies lack basic elements of cyber hygiene. The study, conducted by Dimensional Research and sponsored by identity and access management (IAM) solutions provider One Identity found that “while agency leaders recognize IAM’s importance, the majority of agencies have yet to fully adopt recommended guidelines into their cybersecurity program and some even feel their current approach distracts from agency missions.”

“This research reveals a lack of alignment between IAM requirements and realities at federal agencies. It’s imperative that agency leadership prioritize identity management and leverage guidance already in place to prevent data from falling into the wrong hands,” said Dan Conrad, Federal CTO at One Identity.

In April 2018, the Office of Management and Budget (OMB) issued new identity management guidance in the form of the Identity, Credential, and Access Management (ICAM) policy, which are measures to strengthen an agency’s ability to control access to sensitive information.  While OMB may be emphasizing ICAM, the 200+ Federal IT security professionals all said their agency has room for improvement across focus areas in the ICAM policy. However, the policy has seen some success, 99 percent of respondents felt the policy has had a “positive impact on current identity and access management guidance.”

In terms of who supports IAM initiatives, civilian agencies find them far more useful than intelligence and defense agencies. Nearly 60 percent of all agencies agree that IAM-related initiative enable the agency’s mission. However, when broken down by agency type, it becomes clear that civilian agencies have a far more positive outlook. Seventy-one percent of civilian agencies said they consider IAM a “mission enabler,” while 52 percent said that IAM initiatives “make it difficult to achieve their missions.” The report concludes, “this disparity reveals the need for flexible IAM solutions that allow agencies to securely and efficiently meet their needs.”

Another area the report examined were the National Institute of Standards and Technology (NIST) Identity Guidelines. Unfortunately, only 41 percent of agencies reported having met the deadlines outlined in NIST’s policy. While 40 percent of agencies said they are making progress, a full 10 percent have yet to or will not act on NIST’s guidelines.

Building off Federal guidance surrounding IAM, One Identity asked survey respondents which element of IAM would benefit from “more effective Federal guidance.” The area most in need of guidance, according to 40 percent of respondents, is authentication. Authorization came in second with 26 percent of respondents selected it, 20 percent said administration could most benefit, and 15 percent listed audit as the area most in need of guidance.

“Effective cybersecurity begins with a comprehensive IAM approach that includes account authentication, authorization, administration and auditing,” Conrad concluded. “This way, [agencies] don’t have to sacrifice efficiency to protect sensitive government information.”

Recent