August 10, 2015

After the “Cybersecurity Sprint,” Material Weaknesses Persist Among Federal Agencies

Federal authorities are scrambling to manage long-standing information security vulnerabilities in the wake of the high-profile Office of Public Management (OPM) hacks earlier this year. Security analysts believe that upwards of 21.5 million individuals’ sensitive personal information was stolen by external aggressors in the attack. 

In response, the White House hastily commissioned a “30-day cybersecurity sprint” requiring agencies to assess, improve, and report on existing cyber vulnerabilities. After failing to meet its own self-imposed deadline, the White House released the results late in July. While some federal agencies improved and expanded their use of “two-factor authentication” techniques to control access to computing resources, many federal agencies still lag behind, and some agencies actually reported worse results after the effort. This week’s charts show that the federal government’s cybersecurity weaknesses are not merely superficial issues that can be quickly resolved in a few short weeks; they are deep, pervasive, and systemic problems resulting from decades of poor information security practices.

This week’s charts use data from three sources: a July 8 Government Accountability Office (GAO) report entitled “Information Security: Cyber Threats and Data Breaches Illustrate Need for Stronger Controls across Federal Agencies,” the Office of Management and Budget’s Federal Information Security Management Act (FISMA) Report to Congress for FY 2014, and the White House’s “Cybersecurity Sprint Results” report from July 2015. The charts display reported federal material information security weakness and degree of compliance with prevailing federal cybersecurity standards in fiscal year (FY) 2014.

The charts show that at least half of the 24 major federal agencies surveyed report significant weaknesses in each of the five factors of cybersecurity, and a large majority of agencies remain incompliant with the 10 core FISMA pillars decades after the agencies implemented the FISMA legislation. After a dedicated federal effort to improve strong authentication in 30 days, 10 agencies still report noncompliant outcomes, with several reporting even lower results than before the cybersecurity sprint.

The first chart reproduces a GAO chart displaying the number of agency inspectors general that reported either (1) a material weakness, defined as “a deficiency, or combination of deficiencies, that results in more than a remote likelihood that a material misstatement of the financial statements will not be prevented or detected,” or (2) a significant deficiency, defined as “a control deficiency, or combination of control deficiencies, in internal control that is less severe than a material weakness, yet important enough to merit attention by those charged with governance,” for each of the five critical cybersecurity categories outlined in an April 2015 GAO report for FY 2014. The five categories are access control, configuration management, segregation of duties, continuity of operations, and security management.

The chart shows that roughly half of federal agencies continue to struggle with systemic cybersecurity weaknesses in all five federal categories despite spending about $91.5 billion on FISMA investments over the past eight fiscal years and $12.7 billion in FY 2014 alone. 

In fact, 22 of the 24 total agencies report material weaknesses for three categories: access control, configuration management, and security management. That only half of the agencies report adequate segregation of duties—basic procedures to ensure that a single individual does not have control over all key aspects of computer-related operation—is particularly concerning, given how external hackers were able to procure and exploit root access to OPM systems in the recent hack.

The second chart uses data from the FY 2014 FISMA report to Congress to compare the number of agencies reporting full compliance with 10 FISMA standards against the number of agencies that report only partial or no compliance.

By these measures as well, federal agencies lag far behind the cybersecurity goals that policymakers have crafted and amended over the past decade. In only one category, security training, do a majority of agencies report full compliance. However, the GAO has been critical of agency security training in the past, suggesting that reported compliance does not always translate to intended outcomes.

The third chart displays the results of the recent federal cybersecurity sprint reported by the White House. While 14 agencies did improve their strong authentication practices for all users to meet or exceed the 75 percent compliance target established for the sprint, 10 agencies were unable to meet the goals. Several of these—including the Department of Justice, Department of State, and Department of Energy—regularly manage sensitive data critical for national security. It is very concerning that these agencies have been unable to implement simple two-factor authentication techniques after years of funding and a dedicated push in the wake of the OPM hack.

The fourth chart breaks down the pre- and post-sprint results reported by the 10 noncompliant agencies. Many of the noncompliant agencies that made the most progress—such as NASA, the Department of Labor, the Department of Housing and Urban Development, and the Small Business Administration—had reported zero compliance with strong authentication goals before the sprint. Three others—the Department of Education, the Department of Justice, and Department of Energy—actually reported lower strong authentication compliance after the sprint. Several of the lowest-scoring agencies regularly manage sensitive information directly related to national security and foreign development goals, including the Department of Justice, the Department of State, USAID, and the Department of Energy.

These charts suggest that the federal government’s cybersecurity weaknesses are pervasive and deep-rooted. The GAO says that the “hundreds of recommendations to agencies aimed at improving their implementation of information security controls” issued through their reports have been inadequately addressed. It is unfortunate that it required a catastrophic hack on the OPM information systems to make federal cybersecurity a policy priority. While it is encouraging that policymakers are beginning to take information security seriously, the government is dealing with systemic information security failures sown by years of inefficient technocratic planning and duplicative “reform” efforts that merely increase funding or reporting requirements. It will take more than a haphazard 30-day sprint to get federal cybersecurity in order.