Five Takeaways from the New FISMA Report

Continuous monitoring is surging along, but agencies are really bad at authentication.

Cyber attacks were up 15 percent last year.

Agencies spent $12.7 billion on cybersecurity in Fiscal 2014. The annual Federal Information Security Management Act compliance report paints a dismal picture of Federal IT security.

Let’s break it down.

Authentication efforts are lagging. “Numerous agencies have made no progress meeting the Strong Authentication CAP [cross agency priority] goal. SBA, NRC, HUD, Labor, and State were all at 0% Strong Authentication implementation at the end of FY 2014.”

Fifteen agencies “have yet to reach even 50% implementation on the Strong Authentication initiative.”

Fiscal 2014 goal was to have Strong Authentication implementation at 75 percent. That’s a big deal because most cyber threats can be neutralized using Strong Authentication, the report says: “US-CERT incident reports indicate that in FY 2013, 65% of Federal civilian cybersecurity incidents were related to or could have been prevented by Strong Authentication implementation. This figure decreased 13% in FY 2014 to 52% of cyber incidents reported to US-CERT.”

What’s Your Password?
Weak authentication systems plague many agencies, and not surprisingly, those with weak systems suffer more attacks.

“Agencies which have the weakest authentication profile allow the majority of unprivileged users to log on with user ID and password alone, which makes unauthorized network access more likely as passwords are much easier to steal through either malicious software or social engineering. The following 16 agencies fall into this category: State, Labor, HUD, OPM, NRC, SBA, NSF, USAID, USDA, Energy, DOT, Interior, VA, Justice, Treasury, and NASA.”

Sixteen? Yikes.

Ticked Off? Nope.
But agencies are doing much better implementing Trusted Internet Connections, or TIC. Today, the report says, 92 percent of agencies have TIC 2.0 capabilities. Well that’s one bright spot.

Feds Like CDM
CDM looks like a strong point, too. “Based on the IGs’ reviews, continuous monitoring programs were in place at 19 departments. Seven IGs reported that their department had all components of a continuous monitoring program in place.”

At the end of Fiscal 2014, 1.7 million licenses for security monitoring tools and products had been purchased by and distributed to agencies.

It’s a good thing: Cyber attacks increased 15 percent last year, and they show no sign of slowing down.


Feds Respond
Feds aren’t standing still.

First, President Obama announced the new Cyber Threat Intelligence Integration Center. CTIIC, or “see-tick,” will reside in the Office of the Director of National Intelligence, gathering and coordinating data from cyber programs in the intelligence world and sharing it with civilian agencies, including the Department of Homeland Security and the FBI.

The idea is to ensure that intelligence agencies don’t hoard their information and that more of it gets to DHS’s National Cybersecurity and Communications Integration Center (NCCIC), reports The Hill’s Cory Bennett. The center will also ensure agencies are exchanging cyber data with one another. Intel officials aren’t the only ones being asked to take on leading roles. The administration also issued a new executive order promoting information sharing on cyber security in the private sector.

DISA’s New Role
The Defense Information Systems Agency (DISA) is taking over day-to-day operations of the U.S. Cyber Command from the National Security Agency (NSA).

The change allows CyberCom to focus on strategic operations and coordination between combatant commands. NSA Director and Commander of the Cyber Command Adm. Mike Rogers told Newsweek CyberCom is behind in terms of building its cyber defenses and creating a framework for when and how to go on the offensive, reports Lauren Walker. “We’re not mature, and we’re clearly not where we need to be,” Rogers said. “I just think, between a combination of technology, legality and policy, we can get to a better place than we are now.”

Reading between the lines: Is this more fallout from Snowden and Wikileaks or just an interesting subplot? Do we have to wait for the sequel?

CIA in on the Act
CIA Director John Brennan is getting his agency into the action, too. The CIA will dramatically expand its cyber-espionage capabilities as part of a restructuring plan, reports the Washington Post’s Greg Miller.

Although smaller than the NSA, the CIA has substantial cyber capabilities. Miller writes: The agency’s “Information Operations Center, which handles assignments such as extracting information from stolen laptops and planting surveillance devices, is now second only to the Counterterrorism Center in size.” He continues: “The CIA also oversees the Open Source Center, an intelligence unit created in 2005 to scour publicly available data, including Twitter feeds, Facebook postings and Web forums where al-Qaeda and other terrorist groups post material.”

Cyber Symposium
The cybersecurity plot thickens at the Symantec Symposium April 15, where cyber experts will be laser-focused on insider threats, mitigating risk, managing information, and information access.

Starring experts from DOD, DHS, NSA, FBI, NCIS, DISA, FCC, CERT, and the State Department, the symposium will deliver unique perspectives and expertise from a range of stars and rising stars.  And don’t miss former FBI Director Robert Mueller’s keynote.

Let us know what agencies can do better to improve cybersecurity and what law enforcement can do to protect consumers from the next Target-like breach.


Feel like sharing something Noteworthy? Post a comment below or email me at

Bill Glanz is the content director for MeriTalk and its Exchange communities. In the past 14 years, he has worked as a business reporter, press secretary, and media relations director in Washington, D.C.