Cybersecurity
GAO finds agencies mostly managed telework network security with a few holes
Cybersecurity
Federal cyber agencies call zero trust ‘new normal’ of security, partnering to implement
Federal Tech Talk
Rubrik and NetApp: Joining forces to improve network security
Cybersecurity
Warner says Senate committee working on bill to require mandatory reporting for cyber threats
Ask the CIO
GSA credits success of record IT revenue savings to transparency, more trust
Cybersecurity
US agencies, companies secure networks after huge hack
Federal Insights
No more patient zero: A new paradigm for agency network protection
Insight by Palo Alto Networks
Commentary
DoD should use third-party cybersecurity assessments for its vendors
Cybersecurity
NOAA’s approach to Zero Trust is a ‘developing process’
Forrester Research
![During the pandemic, agencies have generally managed to secure networks for remote access, but a sampling of a dozen organizations revealed some cyber vulnerabilities were overlooked.
A recent Government Accountability Office <a href="https://www.gao.gov/products/gao-21-583?utm_medium=social&utm_source=twitter&utm_campaign=usgao">report</a> said the biggest needs for improvement were to assess all relevant IT security controls and enhancements, and fully document remedial actions as necessary. The agencies did better at documenting both their telework security policies, and relevant IT security controls and enhancements.
<img class="aligncenter size-full wp-image-3699681" src="https://federalnewsnetwork.com/wp-content/uploads/2021/10/GAO-chart1.jpg" alt="" width="732" height="610" />
Within agencies’ documentation, GAO looked for system security plans, the results of security control assessments, remedial action plans and whether or not agencies followed cybersecurity guidance from the National Institute of Standards and Technology — particularly SP 800-53.
“If agencies do not sufficiently document relevant security controls, assess the controls, and fully document remedial actions for weaknesses identified in security controls, they are at increased risk that vulnerabilities in their systems View GAO that provide remote access could be exploited,” GAO wrote.
A month before the report’s release, Jennifer Franks, GAO’s director of Information Technology and Cybersecurity, said the agency would <a href="https://federalnewsnetwork.com/cybersecurity/2021/09/gao-will-release-report-on-pandemic-cyber-expand-reviews-to-include-supply-chain-in-near-future/">expand its reviews</a> to take recent pushes to improve supply chain risk into account, citing the SolarWinds incident and Microsoft Exchange vulnerabilities as examples.
GAO studied actions taken by 12 agencies and ultimately recommendation actions to six: The Securities and Exchange Commission, the Social Security Administration, FBI, the Office of Personnel Management, and the departments of Transportation and Homeland Security. Agencies studied for the report all support national essential functions that must continue during emergencies, have at least 1,000 employees and at least 20% of their workforce is telework-eligible.
To keep workers connected, all of the agencies used virtual private networks while seven of them used direct application access. Five agencies used application portals and only one offered remote desktop access to teleworkers. Half of them allowed employees to use personal devices, and all enable employees with secure tokens, according to the report. Most of the agencies reported working around the challenges of these tokens’ short expiration times with creating more temporary credentials.
SEC, SSA and Transportation each received some combination of the following recommendations:
<ul>
<li>Document relevant IT security controls and enhancements in the security plan for the system that provides remote access for telework;</li>
<li>Assess all relevant IT security controls and enhancements for the system that provides remote access for telework;</li>
<li>Assesses and sufficiently documents the assessment of relevant IT security controls and enhancements for the system that provides remote access for telework; and</li>
<li>Consistently monitor progress toward the completion of remedial actions by including estimated completion dates in its plan of action and milestones for the system that provides remote access for telework.</li>
</ul>
“For example, as of May 2021, [SSA] had not documented about half of the relevant controls and enhancements in the plan. SSA IT security officials told us that the agency was reorganizing the components that make up the system that provided remote access to the agency’s employees, and that, due to the reorganization, they had not updated the system security plan since 2016,” GAO wrote. “SSA asserted, however, that the controls and enhancements were in place.
It warned SSA and SEC that until those agencies consistently document network cybersecurity controls, officials will not have the information they need to make “credible, risk-based decisions regarding their information systems.”
<img class="aligncenter size-full wp-image-3699682" src="https://federalnewsnetwork.com/wp-content/uploads/2021/10/GAO-chart2.jpg" alt="" width="740" height="494" />
Other agencies studied but which did not prompt recommendations were the Food and Nutrition Service at the Agriculture Department; the Bureau of Indian Affairs, the National Park Service, the Federal Highway Administration, IRS, Federal Law Enforcement Training Centers and the U.S. Secret Service at DHS; and the Executive Office for Immigration Review at the Justice Department.
GAO conducted the study between April 2020 and September 2021, as part of a CARES Act provision that requires the watchdog agency to report on its ongoing monitoring and oversight efforts related to the COVID-19 pandemic.]()
![During the pandemic, agencies have generally managed to secure networks for remote access, but a sampling of a dozen organizations revealed some cyber vulnerabilities were overlooked.
A recent Government Accountability Office <a href="https://www.gao.gov/products/gao-21-583?utm_medium=social&utm_source=twitter&utm_campaign=usgao">report</a> said the biggest needs for improvement were to assess all relevant IT security controls and enhancements, and fully document remedial actions as necessary. The agencies did better at documenting both their telework security policies, and relevant IT security controls and enhancements.
<img class="aligncenter size-full wp-image-3699681" src="https://federalnewsnetwork.com/wp-content/uploads/2021/10/GAO-chart1.jpg" alt="" width="732" height="610" />
Within agencies’ documentation, GAO looked for system security plans, the results of security control assessments, remedial action plans and whether or not agencies followed cybersecurity guidance from the National Institute of Standards and Technology — particularly SP 800-53.
“If agencies do not sufficiently document relevant security controls, assess the controls, and fully document remedial actions for weaknesses identified in security controls, they are at increased risk that vulnerabilities in their systems View GAO that provide remote access could be exploited,” GAO wrote.
A month before the report’s release, Jennifer Franks, GAO’s director of Information Technology and Cybersecurity, said the agency would <a href="https://federalnewsnetwork.com/cybersecurity/2021/09/gao-will-release-report-on-pandemic-cyber-expand-reviews-to-include-supply-chain-in-near-future/">expand its reviews</a> to take recent pushes to improve supply chain risk into account, citing the SolarWinds incident and Microsoft Exchange vulnerabilities as examples.
GAO studied actions taken by 12 agencies and ultimately recommendation actions to six: The Securities and Exchange Commission, the Social Security Administration, FBI, the Office of Personnel Management, and the departments of Transportation and Homeland Security. Agencies studied for the report all support national essential functions that must continue during emergencies, have at least 1,000 employees and at least 20% of their workforce is telework-eligible.
To keep workers connected, all of the agencies used virtual private networks while seven of them used direct application access. Five agencies used application portals and only one offered remote desktop access to teleworkers. Half of them allowed employees to use personal devices, and all enable employees with secure tokens, according to the report. Most of the agencies reported working around the challenges of these tokens’ short expiration times with creating more temporary credentials.
SEC, SSA and Transportation each received some combination of the following recommendations:
<ul>
<li>Document relevant IT security controls and enhancements in the security plan for the system that provides remote access for telework;</li>
<li>Assess all relevant IT security controls and enhancements for the system that provides remote access for telework;</li>
<li>Assesses and sufficiently documents the assessment of relevant IT security controls and enhancements for the system that provides remote access for telework; and</li>
<li>Consistently monitor progress toward the completion of remedial actions by including estimated completion dates in its plan of action and milestones for the system that provides remote access for telework.</li>
</ul>
“For example, as of May 2021, [SSA] had not documented about half of the relevant controls and enhancements in the plan. SSA IT security officials told us that the agency was reorganizing the components that make up the system that provided remote access to the agency’s employees, and that, due to the reorganization, they had not updated the system security plan since 2016,” GAO wrote. “SSA asserted, however, that the controls and enhancements were in place.
It warned SSA and SEC that until those agencies consistently document network cybersecurity controls, officials will not have the information they need to make “credible, risk-based decisions regarding their information systems.”
<img class="aligncenter size-full wp-image-3699682" src="https://federalnewsnetwork.com/wp-content/uploads/2021/10/GAO-chart2.jpg" alt="" width="740" height="494" />
Other agencies studied but which did not prompt recommendations were the Food and Nutrition Service at the Agriculture Department; the Bureau of Indian Affairs, the National Park Service, the Federal Highway Administration, IRS, Federal Law Enforcement Training Centers and the U.S. Secret Service at DHS; and the Executive Office for Immigration Review at the Justice Department.
GAO conducted the study between April 2020 and September 2021, as part of a CARES Act provision that requires the watchdog agency to report on its ongoing monitoring and oversight efforts related to the COVID-19 pandemic.]()
![During the pandemic, agencies have generally managed to secure networks for remote access, but a sampling of a dozen organizations revealed some cyber vulnerabilities were overlooked.
A recent Government Accountability Office <a href="https://www.gao.gov/products/gao-21-583?utm_medium=social&utm_source=twitter&utm_campaign=usgao">report</a> said the biggest needs for improvement were to assess all relevant IT security controls and enhancements, and fully document remedial actions as necessary. The agencies did better at documenting both their telework security policies, and relevant IT security controls and enhancements.
<img class="aligncenter size-full wp-image-3699681" src="https://federalnewsnetwork.com/wp-content/uploads/2021/10/GAO-chart1.jpg" alt="" width="732" height="610" />
Within agencies’ documentation, GAO looked for system security plans, the results of security control assessments, remedial action plans and whether or not agencies followed cybersecurity guidance from the National Institute of Standards and Technology — particularly SP 800-53.
“If agencies do not sufficiently document relevant security controls, assess the controls, and fully document remedial actions for weaknesses identified in security controls, they are at increased risk that vulnerabilities in their systems View GAO that provide remote access could be exploited,” GAO wrote.
A month before the report’s release, Jennifer Franks, GAO’s director of Information Technology and Cybersecurity, said the agency would <a href="https://federalnewsnetwork.com/cybersecurity/2021/09/gao-will-release-report-on-pandemic-cyber-expand-reviews-to-include-supply-chain-in-near-future/">expand its reviews</a> to take recent pushes to improve supply chain risk into account, citing the SolarWinds incident and Microsoft Exchange vulnerabilities as examples.
GAO studied actions taken by 12 agencies and ultimately recommendation actions to six: The Securities and Exchange Commission, the Social Security Administration, FBI, the Office of Personnel Management, and the departments of Transportation and Homeland Security. Agencies studied for the report all support national essential functions that must continue during emergencies, have at least 1,000 employees and at least 20% of their workforce is telework-eligible.
To keep workers connected, all of the agencies used virtual private networks while seven of them used direct application access. Five agencies used application portals and only one offered remote desktop access to teleworkers. Half of them allowed employees to use personal devices, and all enable employees with secure tokens, according to the report. Most of the agencies reported working around the challenges of these tokens’ short expiration times with creating more temporary credentials.
SEC, SSA and Transportation each received some combination of the following recommendations:
<ul>
<li>Document relevant IT security controls and enhancements in the security plan for the system that provides remote access for telework;</li>
<li>Assess all relevant IT security controls and enhancements for the system that provides remote access for telework;</li>
<li>Assesses and sufficiently documents the assessment of relevant IT security controls and enhancements for the system that provides remote access for telework; and</li>
<li>Consistently monitor progress toward the completion of remedial actions by including estimated completion dates in its plan of action and milestones for the system that provides remote access for telework.</li>
</ul>
“For example, as of May 2021, [SSA] had not documented about half of the relevant controls and enhancements in the plan. SSA IT security officials told us that the agency was reorganizing the components that make up the system that provided remote access to the agency’s employees, and that, due to the reorganization, they had not updated the system security plan since 2016,” GAO wrote. “SSA asserted, however, that the controls and enhancements were in place.
It warned SSA and SEC that until those agencies consistently document network cybersecurity controls, officials will not have the information they need to make “credible, risk-based decisions regarding their information systems.”
<img class="aligncenter size-full wp-image-3699682" src="https://federalnewsnetwork.com/wp-content/uploads/2021/10/GAO-chart2.jpg" alt="" width="740" height="494" />
Other agencies studied but which did not prompt recommendations were the Food and Nutrition Service at the Agriculture Department; the Bureau of Indian Affairs, the National Park Service, the Federal Highway Administration, IRS, Federal Law Enforcement Training Centers and the U.S. Secret Service at DHS; and the Executive Office for Immigration Review at the Justice Department.
GAO conducted the study between April 2020 and September 2021, as part of a CARES Act provision that requires the watchdog agency to report on its ongoing monitoring and oversight efforts related to the COVID-19 pandemic.]()
Insight of the Month
Nothing personal: Zero Trust meant to stop cyber breaches before they start
Federal Insights
Insight by Akamai Zero Trust: IoT, machine-to-machine communication and network security
Federal Insights
Insight by Akamai Zero Trust: Content delivery network and cybersecurity
Federal Insights
Insight by Microsoft Addressing threats through a Relentless Focus on Security
All News
Intelligence pro offers ideas for reducing insider threat
Federal Insights
A 360-Degree View of Federal Network Security
Federal Tech Talk
Network management: Results from a cybersecurity survey
Federal Tech Talk
Gaining control of your network
Federal Tech Talk
Stopping Advanced Persistent Threats (APTs)
Amtower Off-Center
It's the BOB show!