Agencies still struggling to encrypt mobile devices

Despite a 2006 mandate to secure mobile devices and implement two-factor authentication, only just over half of federal agencies have managed to do so. OMB subm...

By Jason Miller
Executive Editor
Federal News Radio

In the four years since the Office of Management and Budget mandated all laptops and mobile devices be encrypted, only 54 percent of those devices meet the directive.

In the wake of the Veterans Affairs Department losing a laptop with records of 26 million veterans, OMB issued a memo in June 2006 requiring agencies to meet four goals, including encrypting “all data on mobile computers/devices which carry agency data unless the data is determined to be non-sensitive, in writing, by your deputy secretary or an individual he/she may designate in writing and allow remote access only with two-factor authentication where one of the factors is provided by a device separate from the computer gaining access.”

OMB’s fiscal 2010 Federal Information Security Management report to Congress found just over half of all mobile devices meet the National Institute of Standards and Technology’s Federal Information Processing Standards-140-2 encryption standard.

The report stated 17 agencies have encrypted at least 75 percent of their mobile devices. Four agencies, however, have less than 25 percent, including two with less than three percent.

Agencies also have not met the requirement to implement two-factor authentication. The report stated that while 79 percent of employees who required secure smart cards under Homeland Security Presidential Directive-12 have them, 22 of 24 large agencies are not making progress in using them.

The document found that two agencies reported more than 80 percent of their user accounts require secure smart cards to log on to their networks. The rest of the agencies require less than four percent of their employees to use HSPD-12 cards for network access.

OMB stated that 55 percent of all employee accounts required smartcards to log on to the network.

OMB didn’t provide the specific statistics for individual agencies in much of the report.

Overall, OMB reported that agency cybersecurity is improving across the board because agencies are moving toward continuous monitoring of their systems.

“To provide for more effective security at a lower cost, we have shifted the cybersecurity policy of the federal government from old-style, paper-based reports to continuous monitoring; launched a centralized platform run by the Department of Homeland Security for meaningful and actionable insight into agency cybersecurity postures governmentwide; and directed agencies to fund tools to support continuous monitoring and improve incident response,” said Vivek Kundra, federal chief information officer, in an e-mail comment. “But monitoring systems alone is not sufficient. That is why the Department of Homeland Security launched CyberStat – face-to-face, evidence-based accountability sessions – to advance agency cybersecurity postures.”

DHS launched CyberStat in 2011 based on the TechStat concept, where OMB brings all the key players together to address a poorly performing project.

“These meetings will bring agency leadership together to examine the metrics reported through Cyberscope and develop in-depth remediation plans to quickly address any issue,” the report stated. “Through CyberStats, DHS will also be able to evolve security metrics and assist agencies to enhance data quality and completeness. Combining CyberScope and CyberStat together, this approach gives agencies information they have never had before about risks to their information and information systems; it also allows DHS to examine and correlate the data on risks across the entire federal enterprise and to provide such knowledge back to agencies.”

OMB set a deadline of the end of 2012 for agencies to have continuous monitoring in place in this year’s budget passback.

It seems agencies can’t implement continuous monitoring quick enough. OMB reports that agencies saw a 39 percent increase in cyber attacks in 2010 compared to 2009. According to DHS’s U.S. Computer Emergency and Response Team (CERT), agencies faced for more than 41,000 cyber incidents in 2010, up from 30,000 in 2009.

“Malicious code through multiple means (e.g., phishing, virus, logic bomb) continues to be the most widely used attack approach,” the report stated.

CERT reported that attacks through malicious codes accounted for 31 percent of all attacks against federal agencies.

“The federal government continued to sponsor research and development of an Insider Threat assessment methodology and corresponding mitigation strategies through the US-CERT Insider Threat Center,” the report stated. “This allows for ongoing case collection and analysis, development of a scalable, repeatable insider threat vulnerability assessment method, creation of a training and certification program, and development of new insider threat controls in the CERT Insider Threat Lab. Mitigating the malicious insider remains a significant challenge and requires the composite application of several tactics and capabilities that build one upon the other. The CERT Insider Threat Center has accelerated, and will facilitate, the identification and adoption of future insider threat controls through FISMA.”

DHS also is working with the General Services Administration to put in place blanket purchase agreements under the SmartBuy program to make it easier for agencies to buy continuous monitoring services. DHS and GSA will award BPAs for Situational Awareness Incident Response (SAIR) Tier II and continuous monitoring services in 2011.

“The objective of this acquisition will be to award multiple BPAs for managed service providers capable of providing Risk Management Framework capabilities,” the report stated.

GSA also will lead a working group along with the Defense Department, NASA and others to eliminate counterfeit IT products in the supply chain.

The working group will “identify any gaps in legal authority, regulation, policy and guidance that preclude an optimal federal government procurement approach.”

Overall, agencies are spent $12 billion, or 15.6 percent of the federal IT budget, on cybersecurity in 2010. Most of the spending, 74 percent, went for IT security costs on personnel. Agencies spent eight percent of their IT budget on security tools and seven percent on implementing NIST guidance and security testing.

Personnel costs account for the majority of spending because 64 percent of the 79,000 employees who have information security as their major responsibility are in government, and 35 percent are contractors. Civilian agencies, however, rely on contractors more than DoD. OMB stated that 46 percent of security employees are government and 54 percent are contractors in non-DoD agencies.

“The main priority in federal information security for FY 2011 will be to build a defensible federal enterprise that allows the federal government to have information security as a key enabler instead of a limiting factor in harnessing technological innovation,” OMB stated.

(Copyright 2011 by All Rights Reserved.)

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.