As part of that realization, the Office of Management and Budget called for a 30-day cybersecurity sprint, mandating each agency meet a set of baseline requirements. That sprint wrapped up Sunday and preliminary results look positive, according to Federal CIO Tony Scott.
"It focused on a number of different activities but primarily on a couple of areas: increasing the level of two-factor authentication for privileged system users, patching critical vulnerabilities and widely disseminating the indicators of compromise," Scott said.
That first area — a lack of two-factor authentication — is one of the main reasons perpetrators were able to get usable information out of OPM's systems using basic credentials stolen from third party contractors at KeyPoint Government Solutions.
Days before the sprint wrapped up, Scott said agencies were already reporting progress on these priority initiatives.
OPM Data Breach: What You Need to Know
"We've dramatically increased the amount of two-factor authentication," he said during a call with reporters July 9. "A number of agencies have hit 100 percent and broadly across the government we've hit 20 percent."
The 2014 FISMA audit — issued in February 2015 — which analyzed the security posture of the entire federal government, showed that more than 5 million government users could access unprivileged accounts using just a username and password.
"While the substantial number of unprivileged user accounts … that are able to log on to federal networks with only a user ID and password is concerning, a potentially more serious issue is the number of privileged network accounts that are able to log on with only a user ID and password," the report reads. "Privileged user accounts … possess elevated levels of access to or control of federal systems and information, significantly increasing the risk to government resources if their credentials are compromised."
More than 134,000 users could access privileged accounts with the same low-level authentication, with 18 major agencies allowing privileged user access without two-factor authentication prior to the sprint.
Scott said agencies and area-specific working groups will be reporting the full results of the sprint to OMB over the next few weeks.
"This is important work across all the agencies of the federal government to make sure that we greatly enhance the cybersecurity profile of the government as a whole," he said.
Aaron Boyd is an awarding-winning journalist currently serving as editor of Federal Times — a Washington, D.C. institution covering federal workforce and contracting for more than 50 years — and Fifth Domain — a news and information hub focused on cybersecurity and cyberwar from a civilian, military and international perspective.