Only one Federal agency achieved the highest scores in each of the cybersecurity framework areas in the Federal Information Security Management Act (FISMA) report for fiscal year 2016, which shows that agencies still need to work on their cybersecurity strategies.
The Federal Election Commission, which governs the financing of Federal elections, received top scores for identifying, protecting, detecting, responding, and recovering from cybersecurity incidents. Although the FEC doesn’t deal with administering elections, the agency still witnessed allegations that the Russian government would attempt to hack the presidential election in November. Despite the controversy, the FEC came out on top with its cybersecurity strategies.
“We are very pleased with our cybersecurity efforts,” said Alec Palmer, chief information officer and staff director for the FEC. “Due to the sensitivity of the information, we cannot comment on anything specific. However, we continue to ensure that all FEC systems are adequately protected.”
Since the FEC is exempt from FISMA, the agency didn’t have to submit all of the information collected to the Department of Homeland Security; however, it issued an independent assessment that the FEC had achieved top standards for each cybersecurity category.
“Although the agency is exempt from FISMA and the E-Government Act, cybersecurity is at the top of the commissioners’ priorities,” said Palmer. “We are doing everything we can to follow industry best practice and cybersecurity frameworks including the implementation of the NIST Cyber Security Framework (CSF) and NIST Risk Management Framework (RMF).”
The Department of Interior also chose to issue an independent assessment; however, the agency achieved low scores for its cybersecurity networks.
The private auditing company KPMG said that DOI must establish roles for government oversight to ensure that contractors are accomplishing the right goals, get approval for its incident response plan to ensure that it’s effective in stopping hackers, and align its contingency plans with NIST requirements.
The FISMA report noted that the DOI has made improvements in 2016 by reducing the number of privileged users, enforcing strong authentication for 99 percent of privileged users, enforcing strong authentication for 89 percent of unprivileged users, completing a high-value asset inventory and review, and continuing to deploy continuous diagnostics and mitigation tools.
Fiscal year 2016 was the first year that agencies were required to give additional information to DHS about cyberattacks on their networks due to the revised Incident Notification Guidelines, which required agencies to classify incidents by the method of attack. DHS found that there were 30,899 cyberattacks on agencies in 2016.
“Federal agencies continued to make progress in strengthening their cyber defenses in FY 2016, a significant amount of work remains to implement these controls and protect Federal networks and data,” said Grant Schneider, acting Federal chief information officer. “While the shift to attack vector means that the FY 2016 incident data is not comparable to prior years’ incident data, the new approach allows OMB, DHS, and agencies to focus on incidents that may impact operations.”