The White House recently issued its annual cybersecurity progress report, finding that while federal agencies strengthened cybersecurity defenses in fiscal year 2016, “a significant amount of work remains to implement these controls.”
Grant Schneider, acting federal chief information security officer, wrote in a blog post announcing the report that federal agencies reported nearly 30,899 cybersecurity incidents to the Department of Homeland Security in fiscal 2016. Of those, just 16 were “major information security incidents” that required reporting information to Congress.
Most of those occurred within the Federal Deposit Insurance Corporation, and included employees taking personally identifiable information “in an unauthorized fashion.” In response, the FDIC implemented solutions that prevent employees from downloading information onto removable media.
The Treasury Department also reported two major incidents, one in January 2016 at the IRS, and one in September that involved an OCC employee downloading “a large volume of files” to removable media.
“Treasury has indicated that there is no evidence that the individual disclosed information, as the agency had previously encrypted the data,” according to the report.
Other incidents included one at the Department of Commerce in December 2015, when a power outage damaged equipment at the U.S. patent office; two at the Department of Housing and Urban Development involving personally identifiable information being made available to the public; and one in late 2016 at the Department of Health and Human Services that potentially compromised personally identifiable information. Because it happened so late in the year, the investigation and mitigation of that event will largely take place in 2017, according to the report.
In July 2016, the Office of Management and Budget and the Office of Personnel Management published a framework to help federal agencies recruit cybersecurity workers, including a proposal to invest $62 million in fiscal 2017 in cybersecurity education and training.
Cross-agency priority (CAP) goals for fiscal years 2015-2017 have three areas of focus, according to the report: continuous monitoring of information security, access management, and anti-phishing and malware defense.
Regarding information security, federal agencies fell short of their 95% implementation goals in hardware and software management, with 61% of agencies reporting they’ve implemented such strategies. Federal agencies reported less of a gap in vulnerability management (90% implementation) and secure configuration management (92%).
Eighty-one percent of agencies implemented strategies regarding unprivileged users’ access, just shy of a goal of 85%. The goal for privileged users is 100%; 89% have implemented strategies.
The goal of identity and access management, according to the report, “is to implement a set of capabilities that ensure network users use strong authentication to access federal IT resources and to limit users’ access to the resources and data required for their job functions. Methods for doing so include identity proofing solutions, physical access and network access controls.
Of 89 federal agencies, 69 met the anti-phishing defenses target and 65 met the malware defense target.
— Read 3 Things Firms Must Do to Dominate Digital: State Street on ThinkAdvisor.