Securing our Federal Networks: Progress to Report
The President has identified the cybersecurity threat as one of the most serious national security, public safety, and economic challenges we face as a nation and has directed all federal agencies to improve their cybersecurity capabilities. Ultimately, the cybersecurity challenge in the federal government is not just a technology issue. It is also an organizational, people, and performance issue requiring creative solutions to address increasingly sophisticated threats and the new vulnerabilities introduced by rapidly changing technology. To overcome these challenges, one area on which I am focusing is the security of federal computers and networks.
On Friday, the White House released its quarterly update on the federal government’s progress to achieve the Cross-Agency Priority Goal on Cybersecurity. Our aim is for executive branch departments and agencies to achieve 95 percent implementation of the Administration’s priority cybersecurity capabilities by the end of fiscal year 2014.
Specifically, our three priority capabilities will help us know:
- what data and information is entering and exiting federal networks;
- what components or devices are on federal information networks; and
- who is on federal networks.
Today’s report shares the significant progress we made this quarter - achieving a 5 percent increase in our overall compliance score - ahead of schedule - and demonstrating an 81 percent adoption rate of the Administration’s priority capabilities by federal departments and agencies:
- continuous monitoring of the data entering and exiting our network (+5 percent increase);
- trusted internet connections to control devices on our network (+3 percent increase); and
- strong authentication of who is on our network (+13 percent increase).
I’d like to share a few of the specific successes we achieved this quarter.
We are seeking to continuously monitor the health of our federal government’s computers. By doing so, we will transform what might previously have been a manual audit of federal information system compliance to a near-real-time automated process that enables a dynamic enterprise-wide risk management process. For example, earlier this year the Department of Agriculture (USDA) implemented an “Ongoing Assessment & Authorization” program to continuously monitor and assess certain aspects of its computers’ security, such as desktop configuration management. This eliminated many required manual audits and allowed USDA to reduce expenses by 40 percent - without a negative impact on security. These savings, in turn, let USDA implement other security refinements related to continuous monitoring to achieve an even greater cost reduction, increased security awareness, and timely security results.
Trusted Internet Connections
We are working to have federal departments and agencies only access the internet through protected gateways called Trusted Internet Connections (TICs). Before this program, agencies had hundreds or thousands of different connections to the internet, and it was impossible to manage and secure all those connections. We are now well on our way to consolidating all of those connections through TIC gateways. One program helping us achieve this target is the “Managed Trusted Internet Protocol Services” (MTIPS). MTIPS is a program run by the General Services Administration (GSA) and the Department of Homeland Security that allows other agencies to contract with a major internet service provider who can provide TIC capability, enabling these agencies to protect their traffic without needing to develop their own in-house capabilities. Securing internet connections through MTIPS has already proven effective. Since GSA fully migrated to MTIPS five months ago, the agency has identified multiple incidents of malware infection that otherwise would not have been discovered.
Passwords alone do not provide strong security. We want users to have to use two-factor authentication to log in to all federal computers, whether they are logging in from home or sitting at their computer in the office. Strong authentication means using an HSPD-12 Personal Identity Verification (PIV) card and password to ensure that only authorized employees have access to federal information systems. The Department of Defense (DoD) is leading the way with 92 percent of its users (more than 3.7 million users) required to use their Common Access Card to log in to DoD networks. In addition, DoD is expanding the use of digital signatures and encryption to multiple business software applications: users can securely sign a form with the click of a button, instead of printing out a form, signing it, and scanning it!
The Path Forward
While these efforts are a very promising start, significant work remains if the federal government is to achieve the cybersecurity CAP goal of 95 percent compliance by the end of fiscal year 2014. Though we are making progress, we continue to identify new challenges as we improve data accuracy, which may produce temporary decreases in compliance percentages before they improve in the long run. For example, we are working to improve the accuracy of data used in the CAP metrics and to identify devices and networks previously excluded from continuous monitoring and TIC inventories.
Reports such as these are bringing these challenges to light and encouraging agency leadership to focus on security, fund these efforts, and hold their teams accountable. Senior leaders, from White House leadership to cabinet officials, are now accounting for cybersecurity as part of their risk management calculus and reporting on their successes and challenges in securing their networks and information. By continuing to implement the cybersecurity CAP goal, the federal government is identifying, managing, and mitigating cybersecurity risk. That means your government’s information and services are better protected against espionage and cyber attacks.