Agencies have taken significant steps to improve their cybersecurity in the aftermath of the two recent cyber breaches at the Office of Personnel Management.
In a blog post today, the Office of Management and Budget released the preliminary results of the 30-day cyber sprint ordered by federal Chief Information Officer Tony Scott in June.
At the heart of the sprint was a binding operational directive issued by the Homeland Security Department in May, which Federal News Radiofirst reportedon June 8. It required agencies to fix all critical vulnerabilities within 30 days or justify to DHS why they could not. OMB’s cyber sprint went beyond that, according to a fact sheet issued by the Obama administration on June 12.
Scott instructed agencies to tighten policies for privileged users, dramatically accelerate the implementation of smart identity cards for logical access underHomeland Security Presidential Directive-12, and immediately deploy indicators provided by DHS to scan systems and logs to detect attacks or the possibility of a breach.
Today’s blog post reported the following improvements in strong authentication:
“Federal Civilian agencies increased their use of strong authentication for privileged and unprivileged users from 42 percent to 72 percent — an increase of 30 percent since agencies last reported their quarterly data on Performance.gov.
“Specifically, Federal civilian agencies increased their use of strong authentication for privileged users from 33 percent to nearly 75 percent — an increase of more than 40 percent since agencies last reported their quarterly data on Performance.gov.
“Thirteen agencies, or more than half of the largest agencies — including the Departments of Transportation, Veterans Affairs, and the Interior — have implemented the same level of strong authentication for nearly 95 percent of their privileged users.”
While recognizing the significance of these statistics, OMB acknowledged that more needed to be done to improve agencies’ cybersecurity.
“Agencies are reducing the number of privileged users and working with DHS to scan their networks on an ongoing basis for known critical vulnerabilities,” OMB said. “Additionally, agencies continue to train employees to recognize and report phishing attempts to introduce malware into Federal networks. But malicious actors aren’t slowing down. As their efforts become more sophisticated, frequent, and impactful, so must ours. Although the Sprint may have come to a conclusion, it is only one leg of a marathon to build upon progress made, identify challenges, and continuously strengthen our defenses.”
To build on the work started by the cyber sprint, a team of more than 100 experts from agencies and the private sector are reviewing the government’s cybersecurity practices, policies and procedures. They will be creating a Cybersecurity Sprint Strategy and Implementation Plan, which will released in the coming months.
The White House also reached out to Congress to provide the necessary funding and resources for agencies to protect their networks.
Earlier this week, Sens. Ron Johnson (R-Wis.) and Tom Carper (D-Del.), the chairman and ranking member, respectively, of the Senate Homeland Security and Governmental Affairs Committee, introduced The Federal Cybersecurity Enhancement Act (S. 1869). which aims to enhance agencies’ ability to protect themselves from cyber attacks. The committee passed the bill on for a vote by the full Senate.
“This growing threat is too intense for anything but the best defenses,” Carper said, in a release. “Fortunately, this Administration has made cybersecurity a top priority and has focused its attention on cyber best practices for federal agencies and networks. However, we are reminded nearly every day that more needs to be done in order to stay ahead of the ever-evolving threat. Today’s results from the Administration’s Cybersecurity Sprint underscore that need. Far too many agencies need to step up when it comes to strengthening their cyber defenses.”
Carper praised today’s news from the White House, but agreed more work needs to be done.
“Our bill would also enhance and accelerate the deployment of Department of Homeland Security’s federal cybersecurity program known as EINSTEIN.” he said. “We know all too well that cybersecurity is not only a sprint, it’s a marathon. It will take sustained focus, vigilance, and progress to ensure every federal agency and business is equipped with the capabilities needed to fend off future cyber attacks.”
Over in the House, Rep. Will Hurd (R-Texas) introduced the EINSTEIN Act of 2015 on Wednesday. It would authorize DHS to deploy its EINSTEIN 3A program. DHS Secretary Jeh Johnson has called on Congress to authorize the program’s deployment.