OMB turns up heat on agencies to implement smart ID cards for computer access

Agencies faced a 15 percent increase in the number of cybersecurity incidents in fiscal 2014.

The Office of Management and Budget sent its annual Federal Information Security Management Act report to Congress late Friday detailing progress and challenges.

OMB said agencies reported nearly 70,000 information security incidents last year. That’s up from 48,000 in 2012.

But OMB warned that the increase in the number of incidents doesn’t necessarily mean agencies are at more risk than before. The White House said the rise in reported cyber attacks or threats also comes from agencies’ better understanding what is happening on their computer networks.

The most common threat agencies faced, according to the Homeland Security Department’s U.S. Computer Emergency Readiness Team (US-CERT), was from the mishandling of paper documents with personal information or other sensitive data. Other common problems include scans, probes and attempted access.

Denial of service and phishing attacks — two of the most common among the public and private sectors — were extremely rare. There were fewer than 100 of each last year among the CFO Act agencies.

Widespread lack of two-factor authentication

“E-Gov Cyber’s analysis indicates that nearly a third of federal incidents are related to or could have been prevented by strong authentication [two-factor] implementation,” OMB wrote in the report. “US-CERT incident reports indicate that in FY 2013, 65 percent of federal civilian cybersecurity incidents were related to or could have been prevented by strong authentication implementation. This figure decreased 13 percent in FY 2014 to 52 percent of cyber incidents reported to US-CERT. While this is a decrease from FY 2013, it is still a troublingly high percentage when one considers that strong authentication implementation for civilian agency user accounts remains at only 41 percent, well below the 75 percent target.”

The OMB E-Gov Cyber unit is a new group of cyber experts running the CyberStat program and helping agencies improve their network and infrastructure security.

The lack of progress on strong authentication across the civilian agencies will be a focal point for the unit. In the report, OMB said the E-Gov Cyber unit will prioritize those agencies that have struggled to implement two-factor authentication for CyberStat reviews.

Agency Cybersecurity Spending by Major Category, FY 2014 Actual (Dollars in Millions)

Click to view a larger version of the chart.

OMB found beyond the Defense Department, only six agencies achieved even an 80 percent implementation of Homeland Security Presidential Directive-12 (HSPD-12) smart identity cards.

Five agencies — the departments of Labor, Housing and Urban Development and State, the Nuclear Regulatory Commission and the Small Business Administration — have not implemented any network access controls using smart cards. Meanwhile, three other agencies — the Office of Personnel Management, the Agriculture Department and the U.S. Agency for International Development — achieved less than 10 percent for strong authentication implementation.

“Agencies which have the weakest authentication profile allow the majority of unprivileged users to log on with user ID and password alone, which makes unauthorized network access more likely as passwords are much easier to steal through either malicious software or social engineering,” OMB said.

An over-reliance on usernames and passwords is concerning for unprivileged accounts, which typically are used for day-to-day work. It’s even worse when privileged accounts, such as those used by system administrators, are not secured by two-factor authentication.

“Privileged user accounts, of which there are 134,287 across the federal government, possess elevated levels of access to or control of federal systems and information, significantly increasing the risk to government resources if their credentials are compromised,” the report said.

It listed 18 agencies that do not require most privileged users to log in with two-factor PIV authentication: the Environmental Protection Agency, General Services Administration, USAID, SBA, NRC, NASA and the departments of State, Veterans Affairs, Agriculture, Labor, Housing and Urban Development, Transportation, Treasury, Health and Human Services, Energy, Justice, Interior and Homeland Security.

Long-awaited wins under Trusted Internet Connections initiative

Agencies finally achieved success under the Trusted Internet Connections (TIC) initiative. Seven years after issuing the memo for agencies to consolidate the number of Internet gateways, OMB reported 95 percent of agencies’ external traffic passed through a TIC or other trusted gateway last year. That is up from 86 percent in 2013.

OMB said in the report that the focus on cyber over the last decade seems to be paying off. More agencies are protecting their networks from attacks through email spoofing as well as analyzing links or attachments for potential viruses and malware.

“As the federal government’s reliance on email has increased, so too has the risk of fraudulent emails entering or emanating from federal agencies,” OMB said. “Additionally, unencrypted emails are a primary source of sensitive data loss because they move outside the protection of physical and electronic barriers that protect other hardware assets.”


OMB reaffirms cyber oversight role

The beginning of a HSPD-12 rewrite?

Agency cybersecurity deficiencies remain as attacks reach all-time high

Wishful FISMA thinking