Cybersecurity

After the cyber sprint: 14 agencies meet Tony Scott's mark

Shutterstock image (by deepadesigns): Safety concept, closed padlock on a digital background.

After a long wait, the White House has released results on agencies' progress on strong authentication during the government's 30-day cybersecurity sprint.

"One of the most significant steps any organization can take to reduce the risk of adversaries penetrating networks and systems is requiring the use of a hardware-based Personal Identity Verification (PIV) card or an alternative form of strong authentication," federal CIO Tony Scott wrote in a July 31 blog post. "Over the course of the Sprint, agencies made significant progress in this area."

Government-wide, agencies increased strong authentication use for privileged users from 33 percent to 75 percent between April and July; for all users, the increase was 42 to 72 percent.

The results show 14 major civilian agencies surpassing Scott's goal of 75 percent for strong authentication, and several agencies hit 100 percent for privileged users alone. Ten agencies missed the mark.

The General Services Administration topped the list, going from 94 percent to 99 percent strong authentication between April and July.

Other agencies made large gains, including Veterans Affairs (10 percent in April to 81 percent in July), the Interior Department (43 to 89 percent) and the Nuclear Regulatory Commission (0 to 78 percent).

The Office of Personnel Management, the agency at the center of it all, went from 42 percent to 97 percent.

Other agencies, including NASA and the Labor Department, missed the goal but still posted large improvements. A few agencies, however, including the Education and Energy Departments, actually posted drops in strong authentication percentages between April and July.

"Today's results from the administration's cybersecurity sprint underscore [the] need [to stay ahead of ever-evolving cyber threats]," Sen. Tom Carper (D-Del.) said in a statement. "Far too many agencies need to step up when it comes to strengthening their cyber defenses."

"But Congress has a responsibility to help, too," he added, plugging the cyber bill he and Senate Homeland Security & Governmental Affairs Committee Chair Ron Johnson (R-Wisconsin) are sponsoring.

That bill, the Federal Cybersecurity Enhancement Act of 2015, would require stronger cyber protections in agencies and speed the adoption of the Homeland Security Department's Einstein intrusion detection system across government.

Scott echoed Carper's call for congressional support, and said good cyber security measures will take increased funding. And while strong authentication was the focus of the July 31 report, that was merely one element of the sprint's scope.

"Although the sprint may have come to a conclusion, it is only one leg of a marathon to build upon progress made, identify challenges, and continuously strengthen our defenses," Scott noted.

He said he's assembled a team of 100 experts from the private sector and government alike to analyze results of the sprint.

"Ultimately, the team's assessment will inform and operationalize a set of action plans and strategies to further address critical cyber security priorities and recommend a Cybersecurity Sprint Strategy and Implementation Plan to be released in the coming months," Scott said.

About the Author

Zach Noble is a staff writer covering digital citizen services, workforce issues and a range of civilian federal agencies.

Before joining FCW in 2015, Noble served as assistant editor at the viral news site TheBlaze, where he wrote a mix of business, political and breaking news stories and managed weekend news coverage. He has also written for online and print publications including The Washington Free Beacon, The Santa Barbara News-Press, The Federalist and Washington Technology.

Noble is a graduate of Saint Vincent College, where he studied English, economics and mathematics.

Click here for previous articles by Noble, or connect with him on Twitter: @thezachnoble.


Rising Stars

Meet 21 early-career leaders who are doing great things in federal IT.

Featured

Reader comments

Thu, Aug 13, 2015 It's Just a Noodle

Other agencies made large gains, including Veterans Affairs (10 percent in April to 81 percent in July) Wow...that's a lie. There were still more than 19,000 accounts in use using admin rights a week or two ago. We weren't ALLOWED to whack elevated accounts since it might KILL someone. So who made the educated guess on what the number was GOING to be? The number is down to 10,000 now and dropping, but that's not an 81% reduction.

Sat, Aug 1, 2015 Hitoshi Anatomi

Hopefully the strong authentication scheme does not involve biometrics. Whether face, iris, fingerprint, typing, gesture, heartbeat or brainwave, biometric authentication could be a candidate for displacing the password if/when (only if/when) it has stopped depending on a password to be registered in case of false rejection while keeping the near-zero false acceptance. Threats that can be thwarted by biometric products operated together with fallback/backup passwords can be thwarted more securely by passwords alone. We could be certain that biometrics would help for better security only when it is operated together with another factor by AND/Conjunction (we need to go through both of the two), not when operated with another factor by OR/Disjunction (we need only to go through either one of the two) as in the cases of Touch ID and many other biometric products on the market that require a backup/fallback password, which only increase the convenience by bringing down the security. In short, biometric solutions could be recommended to the people who want convenience but should not be recommended to those who need security. It may be interesting to have a quick look at a slide titled “PASSWORD-DEPENDENT PASSWORD-KILLER” shown at http://www.slideshare.net/HitoshiKokumai/password-dependent-passwordkiller-46151802

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group