The annual Federal Information Security Management Act (FISMA) review of government cybersecurity was released Feb. 27, showing some progress toward hardening federal systems but plenty of ground still to cover, particularly in user authentication.
The Office of Management and Budget ranked each of the 24 CFO Act agencies on whether they had a program to address each of 11 cybersecurity areas and the pervasiveness of each program.
Eight agencies achieved better than 90 percent in the ranking, up from six in 2013 but on par with 2012. For the third year in a row, six agencies fell below 65 percent, with Housing and Urban Development trailing the pack at 19 percent.
Agencies averaged 76 percent in 2014, up slightly from 75.6 percent in 2013.
"Fiscal Year 2014, in particular, was a pivotal year for federal cybersecurity, marked by sophisticated threat activity and vulnerabilities," OMB wrote in the annual report. "Yet still, agencies are demonstrating a commitment — and even significant progress — to improving in this area."
Federal agencies reported almost 70,000 cyber incidents in fiscal 2014, including attacks, breaches and user errors leading to leaks.
In that last category, incidents without a cyber component (i.e., mishandling of sensitive data), improper usage and policy violations made up more than 40 percent of those reported.
"In the wake of increasing cyber threats and high-profile data breaches, E-Gov Cyber conducted an analysis of agency incident and performance data to determine where to focus its oversight efforts in FY 2015," the report states. "E-Gov Cyber found during its analysis that the majority of federal cybersecurity incidents are related to or could potentially have been mitigated by strong authentication implementation."
Authentication-based incidents dropped from 65 percent of those reported in 2013 to 52 percent in 2014.
However, "While this is a decrease from FY 2013, it is still a troublingly high percentage when one considers that strong authentication implementation for civilian agency user accounts remains at only 41 percent, well below the 75 percent target," OMB wrote.
The report narrowed all reported incidents into four categories, all of which could be helped with better user authentication methods:
- Improper Usage, Suspicious Network Activity and Unauthorized Access: Improper user behavior can be deterred by reducing anonymity through strong authentication.
- Social Engineering, Phishing and Malicious Code: These incident types can be deterred through use of PIV card capabilities like digitally signing emails and delivering corresponding user training to thwart phishing attempts.
- Denial of Service, Equipment and Other: These incident types are not typically related to strong authentication implementation.
- Non-Cyber: This incident type was removed from E-Gov Cyber's analysis since it is not related to cybersecurity incidents.