Most agencies got low marks on the White House’s latest quarterly scorecard measuring their progress in improving cybersecurity.
With the exception of the Defense Department and the General Services Administration, agencies are well below the administration’s 2014 goal for requiring 90 percent of federal workers and contractors to use Personal Identity Verification (PIV) cards to access agencies’ information systems. The cards help agencies ensure only authorized employees have access to their information systems.
Most agencies have issued cards, but at half of the 24 agencies reporting, only 2 percent or less of employees are using them. DoD and GSA are the exceptions, where 84 percent and 93 percent of employees use the cards.
Being able to identify who is on agency systems is one of three areas measured on the scorecard, released Friday.
Also scored :
Agencies must verify what hardware is connected to their networks and whether it is secure. Specifically, by October 2014, agencies should be using automated software to monitor 95 percent of the devices operating on their networks to know whether they are secure.
Those scores show agencies are struggling to continuously monitor their networks for rogue devices and vulnerabilities on legitimate devices. Eighteen agencies reached the minimum target for monitoring 80 percent of the devices and other hardware connected to their networks, and 12 agencies reached 95 percent, the report said. But one-third of agencies reported decreases in their ability to automate security checks of those devices, once they are detected.
Agencies must verify what information is entering and leaving their networks.
Agencies improved their ability to track what is leaving and entering their networks by consolidating the number of external connections to the Internet and securing those connections.
Eighty-four percent of the traffic leaving agencies’ networks goes through one of their secure Internet connections. That number is up from 81.2 percent in the previous quarter.
The governmentwide cyber initiative “represents a change in culture, focus and perspective and has not been an easy one for a lot of agencies,” Earl Crane, who reports to the White House cybersecurity coordinator, said at last week’s RSA Conference in San Francisco.
He said recently changed reporting requirements, now more rigorous and accurate, may account for the drop in overall scores.
For example, agencies must now detail whether employees are required to use PIV cards when logging onto systems remotely as well as in the office. At the Education Department, for example, that new metric decreased its overall score from 75 percent to 47 percent of employees using PIV cards to access agency systems.
“We know they’re going in the right direction,” Crane said of agencies’ progress. “We just want them to go faster.”
One major impediment to that success is the sequester, which imposes automatic budget cuts across all agencies.
Michael Daniel, the White House cybersecurity coordinator, said the sequester will make it more difficult for underperforming agencies to improve their cyber defenses.