If Benjamin Franklin were alive today, there’s one more thing he could add to his list of certainties. Along with death and taxes we can now be assured that the number of cybersecurity incidents will continue to rise. A recent report released by the White House confirmed that computer security incidents affecting the federal government increased by 5 percent in 2012 over 2011 numbers. Yet, agencies’ security metrics fell slightly from 75 percent in 2011 to 74 percent in 2012 as they struggled to keep up with new FISMA requirements, such as continuous monitoring.
Each year Congress receives a report on how agencies are addressing cybersecurity in accordance with the Federal Information Security Management Act of 2002 (FISMA) report. The Department of Homeland Security’s United States Computer Emergency Readiness Team (US-CERT) reports that malicious code continues to be one of the most widely reported incident types across agencies and notes measures are being taken to identify and mitigate weaknesses in the federal infrastructure that can be exploited by malware.
Agencies performed best in security capital planning, incident response and reporting, and remote access management, according to the report. However, continuous monitoring management, configuration management, Plan of Action and Milestones (POA&M) remediation, and identity and access management were areas that were among the weakest performance.
While the Department of Defense did not provide sufficient information for scoring, 12 agencies including the NSA, GSA, and Department of Homeland Security had initiatives in place for all 11 cyber security program categories, although each also identified areas for improvement. The other agencies had at least one area for which they did not have a program.
Three agencies – Department of Housing and Urban Development, Office of Personnel Management, and Agency for International Development – reported that they did not have continuous monitoring management programs in place. Eight agencies scored over 90 percent compliance, nine scored between 65 and 90 percent compliance, and the remaining five scored less than 65 percent.
The report also indicates that as more federal employees embrace telework and work outside a traditional office environment, agencies are meeting these needs with a variety of initiatives, including measures to address unauthorized access and equipment incidents as well as improper usage, policy violations, and non-cyber incidents that can lead to the unauthorized disclosure of personally identifiable information.
Protecting individual privacy continues to remain a top priority. According to the report the increased use of cloud computing, mobile computing devices and services, and social media means that “federal agencies must take steps to analyze and address privacy issues at the earliest stages of the planning process, and they must continue to manage information responsibly throughout the life cycle of the information.”