The federal CIO published a scorecard showing how agencies had boosted -- or, in some cases, failed to boost -- their strong authentication implementation during the government cyber security sprint.
After a long wait, the White House has released results on agencies' progress on strong authentication during the government's 30-day cybersecurity sprint.
"One of the most significant steps any organization can take to reduce the risk of adversaries penetrating networks and systems is requiring the use of a hardware-based Personal Identity Verification (PIV) card or an alternative form of strong authentication," federal CIO Tony Scott wrote in a July 31 blog post. "Over the course of the Sprint, agencies made significant progress in this area."
Government-wide, agencies increased strong authentication use for privileged users from 33 percent to 75 percent between April and July; for all users, the increase was 42 to 72 percent.
The results show 14 major civilian agencies surpassing Scott's goal of 75 percent for strong authentication, and several agencies hit 100 percent for privileged users alone. Ten agencies missed the mark.
The General Services Administration topped the list, going from 94 percent to 99 percent strong authentication between April and July.
Other agencies made large gains, including Veterans Affairs (10 percent in April to 81 percent in July), the Interior Department (43 to 89 percent) and the Nuclear Regulatory Commission (0 to 78 percent).
The Office of Personnel Management, the agency at the center of it all, went from 42 percent to 97 percent.
Other agencies, including NASA and the Labor Department, missed the goal but still posted large improvements. A few agencies, however, including the Education and Energy Departments, actually posted drops in strong authentication percentages between April and July.
"Today's results from the administration's cybersecurity sprint underscore [the] need [to stay ahead of ever-evolving cyber threats]," Sen. Tom Carper (D-Del.) said in a statement. "Far too many agencies need to step up when it comes to strengthening their cyber defenses."
"But Congress has a responsibility to help, too," he added, plugging the cyber bill he and Senate Homeland Security & Governmental Affairs Committee Chair Ron Johnson (R-Wisconsin) are sponsoring.
That bill, the Federal Cybersecurity Enhancement Act of 2015, would require stronger cyber protections in agencies and speed the adoption of the Homeland Security Department's Einstein intrusion detection system across government.
Scott echoed Carper's call for congressional support, and said good cyber security measures will take increased funding. And while strong authentication was the focus of the July 31 report, that was merely one element of the sprint's scope.
"Although the sprint may have come to a conclusion, it is only one leg of a marathon to build upon progress made, identify challenges, and continuously strengthen our defenses," Scott noted.
He said he's assembled a team of 100 experts from the private sector and government alike to analyze results of the sprint.
"Ultimately, the team's assessment will inform and operationalize a set of action plans and strategies to further address critical cyber security priorities and recommend a Cybersecurity Sprint Strategy and Implementation Plan to be released in the coming months," Scott said.