Agencies improve, but still fall short of cybersecurity CAP goals

Most agencies are making progress in securing their information and protecting themselves from cyber threats, but they’re still falling short of the Cross-Agency Priority (CAP) Goals set by the Obama administration, according to a fourth-quarter update recently posted on

The Obama administration established 15 cross-agency priority goals when it released the 2015 budget last spring. The seven mission-oriented and eight management goals are laid out in a four-year timeframe.

“Established by the GPRA Modernization Act of 2010, these Cross-Agency Priority (CAP) Goals are a tool used by leadership to accelerate progress on a limited number of Presidential priority areas where implementation requires active collaboration between multiple agencies,” the White House wrote on

For cybersecurity, the White House set as a goal to: “Improve cybersecurity performance through ongoing awareness of information security, vulnerabilities, and threats impacting the operating information environment, ensuring that only authorized users have access to resources and information; and the implementation of technologies and processes that reduce the risk of malware.”


The administration established three priorities for cybersecurity capabilities:

  • Information Security Continuous Monitoring Mitigation (ISCM) – Observing, assessing and measuring cybersecurity at agencies.
  • Identity, Credential, and Access Management (ICAM) – Putting in place capabilities to make sure users authenticate to IT resources and are only able to access information germaine to their specific jobs.
  • Anti-Phishing & malware defense (TIC) – Establishing training, technology and procedures that reduce the transfer of malware via email or malicious websites.

The Chief Financial Officer Act agencies continued to show improvement in these areas through the fourth quarter of Fiscal Year 2014, according to the report. ISCM grew from 88.27 percent to 92.32 percent. Strong Authentication increased from 64.62 percent to 72.03 percent. TIC Consolidation grew from 91.91 percent to 95.48 percent and TIC Capabilities grew slightly from 91.43 percent to 91.65 percent.

Overall Cyber CAP Progress grew from 85.46 percent in the third quarter to 89.35 percent in the fourth quarter.

Click on chart to view a larger version. (Source:

Despite all of these increases, none of the areas, with the exception of TIC Consolidation, reached the CAP target goals set by the administration. TIC Consolidation rose 3.57 percent, exceeding the CAP goal at 95 percent. In additon, TIC 2.0 security capabilities are at 92 percent, rising 0.22 percent since last quarter.

In the area of strong authentication, the use of PIV (personal information verification) cards for logical access at civilian CFO agencies increased by 10.83 percent to 41.01 percent.

In addition, the following nine agencies increased their total PIV use by 10 percent or more over the quarter: the departments of Homeland Security (80 percent), Commerce (88 percent), Interior (36 percent), Transportation (31 percent), Education (85 percent) and Treasury (43 percent), Environmental Protection Agency (69 percent), NASA (82 percent) and the National Science Foundation (19 percent).

As of the fourth quarter of FY2014, seven agencies have surpassed the CAP goal target of 75 percent for strong authentication, with 16 agencies showing a 10 percent or greater increase.

The Department of Health and Human Services regressed by double-digits in two of the three ICAM capabilities over the fourth quarter. In configuration management, HHS dropped from 83 percent at the end of the third quarter to 69 percent. In vulnerability management, it dropped from 97 percent to 77 percent over the quarter. HHS’ TIC 2.0 capabilities also dropped from 100 percent in the third quarter to 74 percent.

The Obama administration has set new cross-agency priority goals for managing government as part of its 2015 budget. Federal News Radio examines the eight areas identified by the White House in our special section 2014 Cross Agency Priority Goals.


Agencies reset after missing the mark on cybersecurity goals

VA fails cybersecurity audit for 16th straight year

Commerce takes bigger oversight role in its bureaus’ cybersecurity