More than three-quarters of all agencies put some aspect of continuous monitoring in place in fiscal 2011.
The Office of Management and Budget reports 78 percent of all major agencies submitted data automatically to the Homeland Security Department’s Cyberscope program last year. This is up from 56 percent in 2010.
In its annual report to Congress on the implementation of the Federal Information Security Management Act, the administration said 80 percent of all agencies implemented an automated asset inventory management capability. Also, 78 percent were using an automated configuration management capability and 77 percent were using an automated vulnerability management software.
“All three data feeds have provided insight into the number of systems that are being managed under automated asset, configuration and vulnerability management,” OMB wrote in the report posted today. “A key goal of configuration and vulnerability management is to make assets more difficult to exploit by following published guidelines and best practices.”
OMB set a Sept. 30, 2012 deadline for agencies to implement continuous monitoring. Agencies had to start using Cyberscope by Nov. 15 of last year.
The administration’s findings fly in the face of recent surveys by industry, in which agencies said they are struggling to meet the continuous monitoring mandate. For example, a recent survey of 200 federal managers by RedSeal Networks during the GFirst conference last fall found only 27 percent are currently putting the capabilities in place to analyze their computer networks in real time.
Cyberscope usage increasing
OMB said 19 of 24 agencies reported data to Cyberscope in 2011. Only the departments of Housing and Urban Development and State, NASA, the U.S. Agency for International Development and the Office of Personnel Management didn’t meet this mandate.
Continuous monitoring was one of three administration cyber priorities in 2011.
However, OMB said agencies made less progress in implementing the Trusted Internet Connections initiative and using their secure identity cards under Homeland Security Presidential Directive-12 to access their computer networks.
While 90 percent of all federal employee have HSPD-12 compliant smartcards, only four agencies — the departments of Defense, Education and Agriculture and the General Services Administration — required at least 44 percent of all users to log to the network using the cards.
Of the other 18 agencies, only four showed any progress — the departments of Homeland Security, State and Commerce and NASA.
“The FY 2011 FISMA metrics data indicates that 66 percent of government user accounts are configured to require Personal Identity Verification (PIV) cards to authenticate to agencies’ networks, up from 55 percent in FY 2010,” OMB stated. “The increase of 11 percent was attributable to several agencies which made significant strides in HSPD-12 implementation to include the Department of Education which increased 59 percent in PIV authentication usage in FY 2011. An additional 22 percent of user accounts are configured to optionally use PIV cards.”
Under TIC, agencies made a little more progress.
“The consolidation of external network traffic increased from 48 percent in FY 2010 to 85 percent in FY 2011 for the 18 assessed TICAPs, and to 27 percent for the 42 self identified agencies seeking vendor-provided MTIPS,” OMB stated. “The implementation of TIC Reference Architecture v.1.0 critical security capabilities also increased from 60 percent in FY 2010 to 85 percent in FY 2011, though one agency and one MTIPS provider remained to be assessed.”
Progress in 14 of 16 FISMA areas
Beyond these three areas, agencies improved their compliance with FISMA requirements across the board. OMB said agencies reported their cyber capabilities increased in 14 of 16 areas, and only decreased in one area — controlled incident detection — while remove access authentication stayed the same as last year.
Among the most significant improvements across the government was in domain name system security implementation, a 30 percent increase to 65 percent of all agencies.
Two areas of continuous monitoring, automated configuration management and automated vulnerability management, were the next two largest increases.
OMB also said 83 percent of the agencies have encrypted portal devices, up from 54 percent in 2010, and remote access encryption increased by 11 percent to 83 percent.
Agencies continue to see an increase in cyber incidents. DHS U.S. Computer Emergency Response Team (U.S. CERT) said agencies reported 43,889 incidents impacted them in 2011, up from 41,776 in 2010. Overall, U.S. CERT said 5 percent of the 107,655 reported cyber incidents affected federal agencies.
Attacks using malicious codes (26.5 percent), improper usage (19.2 percent) and unauthorized access (15.9 percent) were among the most common types agencies faced.
Agencies spent $13.3 billion on cyber in 2011
Across the government, agencies spent $13.3 billion on cybersecurity in 2011, of which 72 percent was on personnel. DoD spent the most, more than $10 billion, while USAID and the National Science Foundation spent the least, less than $50 million.
Beyond personnel costs, agencies spent 7 percent of their funds on security tools, 10 percent on implementing the National Institute of Standards and Technology special publication 800-37, 4 percent on security testing and 3 percent on security training.
“In FY 2011, CFO Act agencies reported a total of 84,426 full time equivalents with major responsibilities in information security,” OMB stated. “Of the total FTEs for the CFO Act agencies, 60 percent are government FTEs, 40 percent are contractor FTEs. This percentage is heavily influenced by DOD’s large FTE numbers. DOD’s IT security personnel are 64 percent government FTEs and 36 percent contractor FTEs. Excluding DOD, 45 percent of security FTEs are government FTEs, and 55 percent are contractor FTEs. IT security has consistently been a functional area that depends on talent and technical expertise from industry and commercial sources.”
This story is part of Federal News Radio’s daily Cybersecurity Update. For more cybersecurity news, click here.