From: GCN
Compliance with IT security requirements for executive branch agencies dropped slightly in the last fiscal year, highlighting the challenges of monitoring and hardening networks and systems in the face of increasing threats and decreasing budgets.
As the administration focuses on a handful of key capabilities to enhance federal cybersecurity, overall compliance with the Federal Information Security Management Act slipped from 75 percent in fiscal 2011 to 74 percent in 2012 according to the annual report from the Office of Management and Budget.
Performance varied widely among agencies and capabilities being measured, but most agencies could claim progress on meeting three top priorities identified in 2012: the Trusted Internet Connection (TIC) program, continuous monitoring and strong authentication. Even in these Cross Agency Priorities, however, improvement has been spotty.
FISMA lays out the basic security requirements for non-national security IT systems, including system monitoring, implementation of risk-based security controls and regular reporting. Specific standards and practices are defined by the National Institute of Standards and Technology, and metrics for evaluating compliance are spelled out annually by OPM.
“The federal information security defensive posture is a constantly moving target, shifting due to a relentless, dynamic-threat environment, emerging technologies, and new vulnerabilities,” OPM notes in the report. As a result, priorities shift from year to year and progress varies.
In 17 capabilities measured in the most recent report, nine showed improvement from the previous year, five moved down, one remained unchanged and two were not measured in fiscal 2011.
Two of the sharpest improvements reported were in TIC, with traffic consolidation up 16 points and intrusion detection and prevention capabilities up 12 points. But another priority area, the use of Personal Identity Verification (PIV) credentials for strong authentication when logging onto government systems, dropped by nine points.
As of Sept. 1, 2012, agencies reported that 96 percent of employees and contractors requiring PIV cards have received them. But the number of user accounts configured to required PIV cards for authentication dropped to 57 percent last year, down from 66 percent the year before. This was largely because of decreases at the Defense and Agriculture departments, the report said.
Requiring use of PIV cards for access control can be difficult because not only do legacy systems have to be upgraded to enable the use of smart cards, digital certificates and biometrics, but there also is a constant influx of new systems and devices, including personal mobile devices that must be accommodated.
NIST is in the process of revising the technical standards for PIV credentials, Federal Information Processing Standard 201, to address the integration of PIV with mobile devices. It also is working on a new Special Publication 800-157, “Guidelines for Personal Identity Verification (PIV) Derived Credentials,” which could be used with devices that traditionally do not have smart card readers.
Performance in continuous monitoring, the third cybersecurity priority, showed improvement in two areas: automated asset management and vulnerability management. But automated configuration management dropped from 78 percent in 2011 to 70 percent in 2012. The report blamed this shift on a sharp drop in DOD, from 95 percent to 53 percent, which it said was caused by a change in reporting criteria.
Leave a Reply