OMB: Agencies make headway with IT security

The state of the government’s cybersecurity position has improved over the past year, but significant holes remain, especially in the areas of categorizing the risk level of systems and training, according to the Office of Management and Budget.OMB found that more than 700 systems, including 397 managed by agencies, had not been categorized as high, medium or low risk. Also, the administration said more agency employees have received information technology security training — up 10 percent since last year — but more needs to be done.In its fourth annual Federal Information Security Management Act report sent to Congress March 1, OMB said it will rely on the Security Line of Business effort to better train employees by using a standard program. OMB named three shared-service centers for security training in February: the Office of Personnel Management, the State Department and the U.S. Agency for International Development, and the Defense Department.Overall, OMB found that agencies have certified and accredited 89 percent of the 10,595 federal systems. This is a 1 percent increase since last year on more than 300 systems that departments identified.State and the Homeland Security Department made the most progress, while four agencies — which the report does not name — did not characterize the risk of a significant number of systems, OMB said.“This suggests these agencies are not prioritizing their systems and working to secure the systems presenting the highest-risk impact level, nor do they know at what level to secure those systems not categorized,” the report states. “OMB intends to follow up individually with these agencies.”The report also said agencies also made progress in testing their security controls and contingency plans. OMB found that 88 percent of all systems had their security controls tested, while 77 percent of them had their contingency plans tested. This is up from 61 percent and 72 percent, respectively, last year.DOD increased its system testing by more than 30 percent last year, OMB noted.Agencies also are paying more attention to systems managed by contractors. OMB said 18 of 24 agencies said they either frequently, mostly, or almost always have sustained oversight of contractor-run systems.Beyond securing their systems, agencies also recorded a large increase in the number of security incidents reported to the U.S. Computer Emergency Response Team (CERT).Agencies reported 706 unauthorized accesses, up from 304 in 2005. OMB credits most of the increase to the focus on reporting lost or stolen computers and other hardware containing personal identifiable information.“Privileged or root system access accounted for 25 percent of unauthorized access incidents, more than double that of non-privileged access,” the report states.Meanwhile, denial-of-service attacks increased by six in 2006 to 37, while incidents involving malicious code dropped to 1,465 from 1,806 in 2005.“The reason for this is probably two-fold — no major virus outbreaks of note in fiscal year 2006, and improvements in patching systems in a timely manner prevent vulnerabilities from being exploited,” the report states.OMB did say that the number of incidents being investigated increased by 11 times. Officials credit the increased use of intensive analysis of suspicious traffic under the Einstein program, run by CERT.“Over the next year, OMB will work with federal agencies to increase the exchange of packet level information regarding incidents, which have penetrated an agency’s perimeter,” the report states. “Sharing this data will enable more effective analysis of attacks targeting multiple federal agencies, and may enable more timely responses to new threats.”