Weaknesses in Social Security Administration cybersecurity during the last fiscal year collectively amounted to a significant deficiency, says the agency's office of inspector general. They base their finding of a significant deficiency also on financial auditor's discovery of a material weakness in agency financial systems.
In an annual assessment (.pdf) dated Oct. 24 of the DHS information security program required under the Federal Information Security Management Act, auditors note several areas where DHS has yet to fully automate matters, including the tracking of network devices, external connections and software applications.
The Office of Management and Budget has "ample legal authority to adopt reforms," say authors of the report (.pdf)--who include former OMB executives, including Karen Evans who occupied the equivalent position of federal chief information officer during much of the Bush administration and cybersecurity experts including James Andrew Lewis of CSIS.
The Office of Management and Budget says agencies no longer need to conduct a security reauthorization every 3 years or when an information system has undergone what it considers a significant change under OMB Circular A-130 . Agencies' continuous monitoring programs fulfill the security reauthorization requirement, making a separate reauthorization process unnecessary, according to an Oct. 2 OMB memo.
The department says it want to spend about $200 million in the coming fiscal year in the first of a three-year program to provide cybersecurity tools to federal agencies, including installation of continuous monitoring sensors that will look for unauthorized hardware and software, conduct configuration and vulnerability management and deploy anti-virus measures.
Continuous monitoring is employed at the Commerce Department in "pockets," but that will soon change, as the department now has a departmentwide strategy, said Simon Szykman, chief information officer of DOC.
A bill set for consideration on the House floor this week that would amend FISMA to explicitly include continuous monitoring would cost $710 million over 5 years, says CBO.
The Obama administration has placed much emphasis on continuous monitoring when it comes to securing federal networks. What it hasn’t done is provide parameters for how continuous the continuous monitoring need be in order to qualify as continuous.
Federal cybersecurity czar Howard Schmidt says the Obama administration will now focus on three priority areas needing improvement. In a blog post dated March 23, Schmidt says the Trusted Internet
Cybersecurity is one of the Obama Administration's top five information technology priorities, said Federal Chief Information Officer Steven VanRoekel, while speaking at a Feb. 24 AFECA Bethesda