The pressure on agencies to improve their cybersecurity already is paying off.
White House cybersecurity officials say the government saw significant improvements across all three cross-agency cybersecurity goals in the six months since they were established.
Those goals include implementing continuous monitoring, strengthening Internet gateways through the Trusted Internet Connections Initiative and using two-factor authentication to log on to federal networks under Homeland Security Presidential Directive-12 (HSPD-12).
“This quarter, combining all three goals, we’ve increased by 5 percent in a single quarter so our overall score is 81 percent,” said Andy Ozment, the senior director for cybersecurity in the Executive Office of the President, in an exclusive interview with Federal News Radio. “The cybersecurity goals combine three priorities and our goal is in two years to hit 95 percent. We take these three priorities, we weight them in different ways and we combine them into one number, so that 81 percent represents the progress when you add all the agencies up. It’s not 81 percent of the agencies are getting to that goal, but when you add all the agencies up they’ve implemented 81 percent of this across the government.”
Agencies started out with a score of 76.8 percent in the fourth quarter of fiscal 2012. It dropped to 75.8 percent during the first quarter of 2013.
The White House’s goal by the end of 2014 is to get the government to 93.2 percent across all three cross-agency goals.
HSPD-12 up by 14 percent
The biggest reason for the increase was the implementation of two-factor authentication. Ozment said the implementation of HSPD-12 jumped 14 percentage points to 67.2 percent.
The summary on Performance.gov stated most of the increase is due to the Defense Department, which made logging on to the network using the common access card (CAC) a requirement in 2006. But when DoD is removed from the equation, the administration said two-factor authentication implementation grew by almost 3 percent last quarter.
Ozment said it’s a matter of getting the technology pieces in place and many agencies are starting to do that.
The summary stated the Education Department saw the biggest increase in using HSPD-12 cards, while the General Services Administration, the State Department and the Office of Personnel Management saw significant decreases from their results in the first quarter of 2013.
Eight agencies, including the departments of Housing and Urban Development, Transportation and Labor, made no progress and still do not require the smart cards for network access.
“DoD alone causes the USG to reach the FY2014 minimum target for PIV,” the summary stated. “This may take away the urgency from other agencies to accelerate their progress towards the CAP goal.”
Agencies made less dramatic progress on continuous monitoring, and consolidating and protecting Internet gateways under TIC, but still moved the needle in the right direction.
A senior administration official said the percentage refers to the fact that 84 percent of all IT assets that can be continuously monitored are being watched in real or near real-time. The official said typically hardware such as servers, work stations and mobile devices, fall under continuous monitoring, but other technologies such as USB drives and static devices can’t be or don’t have to be continuously monitored.
The White House stated 20 agencies reached the minimum target of 80 percent for automated asset management — one part of continuous monitoring, while, 11 reached or exceeded the goal of 95 percent.
Across the government, automated asset management rose 2.2 percent, while automated vulnerability management rose 2.1 percent and automated configuration management rose 11.2 percent.
The departments of Agriculture and Energy, and the Social Security Administration saw the biggest jumps last quarter.
Transportation, the National Science Foundation and the Department of Commerce suffered the biggest drops in quarter over quarter comparisons.
Under the TIC initiative, Ozment said agencies achieved 85.3 percent in terms of the capabilities they are implementing.
He said the TIC consolidation program requires a lot of discovery and agencies are finding Internet gateways they didn’t know existed. The Homeland Security Department is one such agency that found previously unknown Internet connections.
The White House said 18 of the 23 CFO Act agencies achieved a minimum target of consolidating 80 percent of their gateways, and 16 reached the goal of 95 percent.
Ozment said the TIC program is an important piece to the bigger puzzle of measuring the impact of agency cyber efforts.
“We will gain a lot in measurement by implementing the TICs. You can’t tell how well you are doing unless you can look at your own traffic and look for signs of intrusions,” he said. “So by having TICs in place and knowing all of our traffic goes through those connections, we will do a better job of catching intruders and then we will go back and figure out how long those intruders have been in our network.”
Progress has been slow
The Office of Management of Budget introduced TIC in 2007, HSPD-12 in 2004 and continuous monitoring in 2012, and progress across the first two initiatives has been slow.
Ozment said the White House realizes this and that’s one of the reasons officials made it a cross-agency goal.
“We weren’t where we needed to be so we set ourselves ambitious goals, we set a tight timeline and we really are pushing agencies to make progress. These are not easy things to do. It takes a lot of work,” he said.
Ozment said part of the reason for the progress is how the White House is holding agencies accountable.
Through the President’s Management Council (PMC), the White House is discussing the cyber goals with deputy secretaries.
“They have the opportunity to ask us about problems they’re facing and whether other agencies have solved those problems,” Ozment said. “They get to look around the room and see how well their peers are doing, and everyone wants to do well. This shining a spotlight on these problems is helping us drive progress across all three of these priorities.”