Your Cybersecurity is Not Well, Fed

Don Miller

Annual “Cybersecurity Assessment” Scores Show that Agencies are Less Secure

The U.S. federal government is the largest single employer in the U.S., with nearly 500 different non-defense/military agencies employing almost 3 million people.  The IT infrastructure required for such a monstrous bureaucracy is so incredibly complex that it requires a separate group of IT and cybersecurity professionals, a large portion of which come from the private sector, to oversee and maintain such a web of people and agencies.

The task of auditing the cybersecurity efforts of this sprawling mass of government agencies falls to one agency.  Each year, the Office of Management and Budget (OMB), which is itself a large bureaucratic organization, has the task of submitting a report containing a “cybersecurity assessment” score which rates the “effectiveness of information security policies and practices during the preceding year.”  This year’s report is a 91-page whopper filled with cybersecurity facts that will make your head swim.

We want to spare MFT Nation readers from having to read the 91-page whopper, so your convenience, we offer the following highlights:

  • The auditors rated each agency’s information security continuous monitoring (ISCM) at one of five levels–ad hoc, defined, consistently implemented, managed and measurable, or optimized–before considering another nine cybersecurity areas such as configuration management, risk management, and security training.
  • Last year, eight agencies received cybersecurity assessment scores above 90%.
  • This year, only one agency received a score above 90%, and the General Services Administration barely made it above that mark with a score of 91%.
  • The Department of Justice (89%), Department of Homeland Security (DHS) (86%), Nuclear Regulatory Commission (86%), and the National Aeronautics and Space Administration (85%) rounded out the five highest scores.
  • 13 agencies received cybersecurity assessment scores between 65 and 90; nine scored lower than 65%; four finished below 50%.
  • The State Department has the ignominious distinction of finishing dead last with a paltry cybersecurity assessment score of 34%.
  • Overall, the average score for reporting agencies was 68% for the fiscal year, down 8% from the previous year.
  • Federal agencies reported 77,183 cybersecurity incidents, a 10% increase over the 69,851 incidents reported in the previous year.
  • The FY 2017 budget includes $19 billion for cybersecurity resources, a big chunk of which is slated for “retiring” the government’s “antiquated” IT systems and “transitioning” to “secure and efficient modern IT systems.”
  • The government auditors urged government agencies to “streamline governance.” Is that possible?

The bottom line is that many U.S. federal government agencies are not prepared to deal with cybersecurity threats.  It’s encouraging to see that $19 billion is budgeted for cybersecurity in FY 2017.  But with government, the concern is usually the amount of money budgeted, but rather how wisely government spends the budgeted funds.

The OMB report contains the following two findings which suggest the U.S federal government will be unable to meet its cybersecurity goals, notwithstanding the billions of dollars that have been budgeted for the effort:

  • “The vast majority of federal agencies cite a lack of cyber and IT talent as a major resource constraint that impacts their ability to protect information and assets.”
  • “There are a number of existing Federal initiatives to address this challenge, but implementation and awareness of these programs is inconsistent.”

Without quality cybersecurity professionals, the federal government will never meet its stated goal of strengthening its cybersecurity efforts.