The White House continues to see an upward trend in new cybersecurity practices governmentwide, but the Obama administration is finding that not all agencies are living up to the cyber standards it set forth in last year’s cross-agency priority goals.
Published with the 2015 budget, the cross-agency priority (CAP) goals focus on longstanding and critical issues affecting agencies across the federal government. Cybersecurity — one of the first mentioned of the White House’s 15 CAP goals — is a mission-based goal to “[i]mprove awareness of security practices, vulnerabilities, and threats to the operating environment, by limiting access to only authorized users and implementing technologies and processes that reduce the risk from malicious activity,” according to a goal statement. It says the president views cybersecurity as “one of the most serious national security, public safety, and economic challenges we face as a nation.”
A recent update posted on Performance.gov shows that overall the 24 CFO Act agencies’ cybersecurity CAP goal performance increased by 3.89 percent in the fourth quarter of fiscal year 2014 to 89 percent overall, based on the percent of their cybersecurity practices that comply with CAP cybersecurity standards, such as the use of continuous monitoring, strengthened authentication and identity management, and trusted Internet connection. Though that’s more dramatic growth than in both quarters prior, it’s still short of the overall cybersecurity CAP goal of 95 percent.
On a more granular level, many agencies came close to but still fell short of achieving the targeted performance level of certain cybersecurity standards. CFO Act agencies improved their use of continuous monitoring by 4.05 percent to 92 percent overall, but also fell short of the 95 percent goal set forth in the CAP. Likewise, trusted Internet connection use and consolidation both increased a few percentage points; the latter, though, has reached its 95 percent target set forth in the CAP goal.
Many agencies are also strengthening their authentication and identity management through the use of personal identity verification cards. About 72 percent of CFO Act employees are using PIVs, while CAP set the target at 75 percent. A lot of that has to do with Defense agencies, though, which have had great success with common access cards. According to the fourth quarter update, just 41.01 percent of civilian CFO Act agencies are using PIV cards, and five agencies don’t use them at all.
Several individual agencies saw marked increases on component cybersecurity CAP goal performance. The Commerce and Interior departments, for instance, improved their scores in continuous monitoring subcategories — asset management, configuration management and vulnerability management — and in use of PIV cards, both by 10 percentage points or more since the third quarter.
The Department of Health and Human Services was the lone agency that saw any major regressions, falling by 10 percent in cybersecurity performance in continuous monitoring configuration management and vulnerability management, as well as its use of trusted Internet connection 2.0 capabilities.
The chart below shows where the 24 individual agencies stand on the different areas of the cybersecurity CAP goals.
FedScoop reached out to the White House’s Office of Science and Technology Policy for comment on the update.