“No Significant Progress” toward Government-wide Cybersecurity Goal
Published: October 30, 2013
The metrics for this goal draw on agency Federal Information Security Management Act (FISMA) reporting. Several of the FISMA capability areas comprise each of the four CAP cyber categories:
Continuous Monitoring: Comprised of Automated Asset Management, Automated Configuration Management, and Automated Vulnerability Management
Strong Authentication: Comprised of PIV Logical Access (HSPD-12) capability areas
TIC Consolidation: Comprised of FISMA TIC Traffic Consolidation
TIC Capabilities: Comprised of FISMA TIC 1.0 Capabilities (includes Einstein 2)
Cyber CAP Progress: Represents an average across Continuous Monitoring, Strong Authentication, TIC Consolidation, and TIC Capabilities.
By the end of FY 2012, agencies had made modest overall progress from FY 2011. While some areas showed marked improvements, others lagged or declined. At nearly 77% implementation for FY2012, the FY2013 target of achieving over 86% implementation would require ambitious improvements and steady progress.
Despite year over year progress from FY 2011 to FY 2012, advances moved in reverse towards the end of FY2013. Cybersecurity capability adoption decreased overall by 1.14 % from mid-year assessments during the third quarter of FY 2013. In particular, mandatory HSPD-12 compliant PIV card use declined by just over half a percent. In addition to the various challenges agencies face around funding and prioritization, the costs and effectiveness of FISMA reporting are being called into question for emphasizing compliance over identifying and implementing targeted risk management practices.
According to the most recent progress update, agencies will miss targets set for the end of FY2014. While this comes as little surprise looking at the capability implementation gap, it’s worth noting that securing federal networks was one of five key priorities called out as strategic investments in the FY 2014 budget proposal. The Cybersecurity CAP Strategy outlines three simple principles for good information security management: accountability through standard milestones, visibility through automation, and mature information security management measurement. Throughout its action plans, leveraging established initiatives, and cross-agency collaboration, the “best laid plans” of the effort are woefully lagging.
As agencies continue to face accountability through metrics like FISMA, it’s worth evaluating how these measures align with practical goals and priorities. The third quarter update report notes that contributing factors to the decrease in Strong Authentication included a fluctuation in the number of remote access users required to use PIV. Similarly, the 1.51% decrease in Continuous Monitoring during the same period was attributed to agencies reporting on additional assets without determining whether they were under management. Ultimately, not unlike the challenges encountered with data center consolidation goals, these security metrics struggle to capture the context and changing conditions impacting the scores.