The threat landscape may be expanding, but federal agencies are getting better at meeting requirements laid out in the Federal Information Security Management Act, according to the annual FISMA report presented to Congress on May 1 by the Office of Management and Budget (OMB).
This year's report, based on agency self-assessments for the 2013 fiscal year, showed that the government organizations met 81 percent of the FISMA requirements, up from 73 percent the year before. Among the biggest areas of improvement came in email encryption efforts at 51 percent, up from 35 percent the year before.
In a letter accompanying the report, OMB Deputy Director for Management Beth Cobert told Congress that “OMB continues to work with agencies to fulfill the requirements of FISMA and implement increasingly resilient information technology security and privacy management programs.”
Much of agencies' efforts have focused and will continue to focus on three initiatives — protecting existing information and information systems, supporting the safe and secure adoption of emerging technologies and building a sophisticated information security workforce, according to the report.
Noting that by “designating cybersecurity as a Cross Agency Priority (CAP) Goal,” the Obama administration had increased “senior government officials' visibility of and accountability” for safeguarding information and information systems. CAP employs three strategies to better protect government networks — trusted internet connections, continuous monitoring and strong authentication (HSPD-12).
And agencies have put some money behind their efforts, spending more than $10 billion in the last fiscal year on IT security. The report says that $3.6 billion of that went to stemming malicious activity while $2.7 was put toward intrusion detection and mitigation. Another $4.1 billion went to boosting the effectiveness of the government's cyber security initiatives.
Federal agencies continue to face multiple threats. Among the 25 largest organizations, called the CFO Act Agencies, non-cyber incidents — such as leaking information on paper documents — accounted for more than 25 percent of overall security incidents while policy violations accounted for almost 20 percent of digital incidents, up from 5.2 percent the year before. Smaller agencies were plagued by different problems — with the biggest issue being suspicious network activity (at 22 percent).
The government will continue to sponsor R&D on insider threat assessment methodology as well as mitigation strategies through the CERT Insider Threat Center, the report says, noting that “mitigating the malicious insider remains a significant challenge and requires the composite application of several tactics and capabilities.”