f e d e r a l g o v e r n m e n t c y b e r s e c u r i t y s u r v e y 2012
-
Upload
robin-larocco -
Category
Documents
-
view
214 -
download
0
Transcript of f e d e r a l g o v e r n m e n t c y b e r s e c u r i t y s u r v e y 2012
-
7/31/2019 f e d e r a l g o v e r n m e n t c y b e r s e c u r i t y s u r v e y 2012
1/18
Next >>
IT savings or spending sh
NASAs new Web archite
OMB mandates portolio
State Department CIO ta
Table o contents >>
April2012
Plus
Hacktivists and cybercriminals pose the greatest threats to federal agencies,our Cybersecurity Survey shows. The feds are fighting back with continuous monitoring. >>
By Ed Moyle and Diana Kelley informationweek.com/government
-
7/31/2019 f e d e r a l g o v e r n m e n t c y b e r s e c u r i t y s u r v e y 2012
2/18
3 Down To BusinessFederal efforts to cut IT costs dont go far
enough
QUICKTAKES
4 NASAs Web PlanSpace agencys new Web architecture will apply
open source, cloud computing, and commercial
technologies
6 Tech Portfolios Under ScrutinyGovernment-wide IT portfolio reviews are
aimed at rooting out duplication
8 Post-WikiLeaks SecurityState Department continues
to enhance security in order
to prevent data leaks
informationweek.com/government
CONTENTSTHE BUSINESS VALUE OF TECHNOLOGY April 2012 Issue 12
COVER STORY9 Threats Vs. ReadinessHacktivists and cybercriminals pose the
greatest threats to federal agencies, our
Cybersecurity Survey shows. The feds are
fighting back with continuous monitoring.
CONTACTS
18 Editorial and Business Contacts
MORE INFORMATIONWEEK GO
Meet Your Peers
Our 2012 Government IT Leadership Fo
event where senior IT leaders in gover
to discuss how theyre using technolog
Its May 3 at the Newseum in Washingt
informationweek.com/gov/2012forum
Whats Next In Cybersecurity
In this virtual event, experts will assess
cybersecurity in government. It happe
informationweek.com/gov/cyberevent
Cloud In Action
Find out how 10 federal agencies are m
planning to implementation of cloud c
informationweek.com/gogreen/121211gov
IN-DEPTH REPORTSMobile Gover
Agencies are w
ad hoc mobilit
coordinated p
improve delive
increase productivity, and reduce costs
informationweek.com/reports/mobilegov
Federal Belt-Tightening Slows Comp
The salary freeze instituted by Presiden2010 has slowed the growth of IT work
informationweek.com/reports/belt
Previous Next
-
7/31/2019 f e d e r a l g o v e r n m e n t c y b e r s e c u r i t y s u r v e y 2012
3/18
Federal CIO Steven VanRoekel maintains
that over the past three years, the federal gov-
ernment has done much in adopting private
sector practices to triage broken IT invest-
ments, reduce the IT infrastructure footprint,
and innovate with less. But by his own ac-
count, it hasnt done enough.
So a few weeks ago, VanRoekel and Office of
Management and Budget acting director Jeff
Zients introduced PortfolioStat (see story, p. 6),
a series of annual data-based reviews of
agency IT investments (more sweeping than
the existing TechStat program), as well as anew requirement for fed agencies to develop
consolidation plans for commodity IT services.
All goodas long as these measures actually
produce meaningful spending cuts rather
than just shuffle federal IT dollars around.
In a memo announcing the two initiatives,
VanRoekel called out the Department of the In-
terior, which he says will realize $100 million in
annual savings (on an IT budget of about $1 bil-
lion) from 2016 to 2020 by modernizing IT in-frastructure and aligning resources to improve
customer service. Furthermore, he estimated
that IT spending reviews already carried out at
Interior have rendered $11 million in cost
avoidance and $2.2 million in redirection.
The fact that Interiors fiscal 2013 IT budget
is pegged to decline by $28.6 millionby
2.9%compared with the previous years
budget is a positive sign. But lets see if the
agencys annual IT budget falls by anywhere
near $100 million between 2016 and 2020.
VanRoekel is quick to note that fiscal discipline
is returning to federal IT. After growing at a com-
pound annual growth rate of more than 7% be-
tween 2001 and 2009lean years for privatesector IT organizationsfed IT spending has
come in flat ever since. Still, at about $80 billion,
the federal IT budget could use a haircut. Instead,
for every IT dollar budgeted to be cut next year
at the likes of Interior (down $28.6 million) and
Justice (down $102 million), an additional dollar
will be spent at the likes of Agriculture (up $79.9
million) and Treasury (up $358.7 million).
For all their talk about adopting private sector
practices, few in Washington have the stomachor will to make the kinds of hard decisions that
companies make all the timethe kinds that
cut budgets rather than just
panding. Agency CIOs are a
from the politicians and car
Consider the federal bud
few weeks ago. As part of his
cuts proposed by Wisconsin
Ryan, President Barack Oba
already eliminated dozen
werent working. But accor
Journaleditorial, the savin
nations amount to less tha
get, or less than $100 millio
publicans were penny-pincadministration. Far from it
George W. Bushs eight yea
doubled to more than $10
VanRoekel and his prede
dra, have done well to id
cost avoidance and red
of the TechStat program.
billions and more from fu
well be more impressed.
Rob Preston is VP and editor in chief
can write to Rob atrpreston@techw
Federal IT Savings, Or Old-Fashioned Spending Shuffle?
informationweek.com/government
Previous Next
RegisterRegister
Next StepsIn Cybersecurity
In this virtual event, experts will
assess the state of cybersecurityin government and present
strategies for creating a
more secure IT infrastructure.It happens May 24.
Table of Contents
ROB
Business
down to
http://prevpage/http://prevpage/ -
7/31/2019 f e d e r a l g o v e r n m e n t c y b e r s e c u r i t y s u r v e y 2012
4/18
NASA plans to build a new Web architecture
that applies cloud computing, open source,
and commercial technologies in support of its
websites and internal Web services.
The architecture is the flagship initiative of
the space agencys newly updated open gov-
ernment plan. NASA and other federal agen-
cies have updated their open government ef-
forts in keeping with version 2.0 of the
Obama administrations Open Government
Initiative, originally launched in 2009.The agencys existing Web infrastructure sup-
ports the development and hosting of 140 ap-
plications and 1,590 websites, deployed on a
variety of systems. Its primary site, NASA.gov,
draws 600,000 visitors daily and serves as a
hub for more than 250 accounts on social
media platforms such as Twitter, Facebook,
and Foursquare.
The open government plan calls for a single
infrastructure to support those apps and a ma-
jority of the websites. The agency is looking to
use open source, cloud computing, commer-
cial products, and government off-the-shelf
technology in lieu of customized technologies.
And it plans to make increased use of fast, iter-
ative software development methodologieslike agile development.
This effort will provide a new agency-wide
capability to create, maintain, and manage the
NASA.gov Web environment and associated
services, which represent what open govern-
ment at its best can and sho
gram manager Nick Skytlan
duction to the open govern
Liberating Data
The strat egy inclu des m
data publicly available th
Data.NASA.gov and the fed
The agency plans to release
the next two years, repres
NASAs internal work as poquire publishing APIs and fu
to liberate data and conte
NASA will also expand its
capabilities. It plans to im
repository with social feat
informationweek.com/government
OPEN GOVERNMENT 2.0
NASA Web Plan Incorporates Cloud, Open Source, Social Media
QuicktakesPrevious Next
Table of Contents
IT Leadership ForumInformationWeeks 2012
Government IT LeadershipForum is May 3 at the
Newseum in Washington, D.C.
RegisterRegister
NASA.gov gets 140MQUICKFACT
-
7/31/2019 f e d e r a l g o v e r n m e n t c y b e r s e c u r i t y s u r v e y 2012
5/18
tion, increase the number of challenges it runs to
engage the public in projects, and host events that
let users of Facebook, Twitter, and other platforms in-
teract with agency personnel.
The agency will launch a pilot program to test the
feasibility of using an open source content manage-
ment system as a replacement for the proprietary sys-
tem in place. If that goes well, it will consolidate mul-
tiple blogging infrastructures to the new content
management system within a year. Another near-
term objective is to develop an API for releasing con-
tent on NASA.gov. Within two years, NASA wants to
move its websites to the new Web infrastructure.
Making use of open source was a flagship initiative
in NASAs original open government plan, and its
now looking to collaborate more actively with theopen source development community. NASA already
has an open source code repository, Code.NASA.gov.
Its open government site is built on the LAMP
(Linux, Apache, MySQL, PHP) software stack and an
open source content management system.
Also, the agency is looking to expand use of tech-
nology accelerators, initiatives such as public-pri-
vate partnerships and innovation mentoring. The
agency points to its International Space Apps Chal-
lenge and Random Hacks of Kindness volunteer de-
velopment program as examples of such efforts.
J. Nicholas Hoover([email protected])
informationweek.com/government
QuicktakesPrevious Next
Table of Contents
Discover IT
LAS VEGAS, MANDALAY BAY // MAY 610, 2012
* 25% off discount applies to Flex and Conference Passes. Discount calculated based on the on-siteprice an d not com binable with other offers. O ffer good on new re gistrati ons only. Pr oof of IT industryinvolveme nt requir ed. Pri ces after discount applied: Flex: $2 ,471.25 // Conferenc e: $1,7 21.25
Be our Guest: Free Expo Pass Extras to ITs
CLOUD COMPUTING | VIRTUALIZATION | SECURITY | MOBILITY | DATA C
WORKSHOPS: May 67, 2012 CONFERENCE: May 810, 2012 EX
See all the latest IT solutions from 350+ technology companies. Enjoy vendor-hosted beverages during the Booth Crawl while you
check out the latest products and services in the Expo.
Attend 50+ free sessions and special events covering the full rangeof IT innovations.
Hear keynotes from top minds at leading companies discuss thefuture of IT.
Tour the event network, built by volunteers and hand selected vendorsusing the industrys most cutting edge technology. Attend free classes
led by InteropNet engineers.
Meet cloud computing and virtualization vendors in a special area. Become an IT Hero. Interop gives you the most important technologies
and essential strategies to drive business value from your IT organization.
Get
www.
EXHIBITORS INCLUDE:
ATT
TO
http://prevpage/http://prevpage/ -
7/31/2019 f e d e r a l g o v e r n m e n t c y b e r s e c u r i t y s u r v e y 2012
6/18
White House efforts to wring savings from
federal IT investments have received another
push, this time in the form of a new plan to
conduct government-wide IT portfolio re-
views, along with new requirements for cen-
tralizing IT services.
Jeff Zients, acting director of the Office of Man-
agement and Budget, and federal CIO Steven
VanRoekel on March 30 announced two initia-
tives: one called PortfolioStat, a series of face-to-
face, data-based reviews of agency IT portfolios,
and another requiring agencies to develop con-solidation plans for commodity IT services.
Their memo implored agencies to focus on
high-value IT investments and stop deploy-
ing redundant IT services. The stove-piped
and complex nature of the federal enterprise
has led over the years to a proliferation of du-
plicative and low-priority investments in in-
formation technology, they wrote. At the
same time, agencies too often seek to de-
velop homegrown, proprietary solutions first,
before assessing existing options for shared
services or components.
PortfolioStat was inspired by private-sector
practices as well as by OMBs TechStat pro-
gram, launched in January 2010 by former
federal CIO Vivek Kundra. In the early going,
TechStat was used to identify big-budget IT
projects that were at risk of running over
budget or falling behind schedule, which in
turn led to corrective action. TechStat project
reviews are now applied more broadly within
agencies. The Obama administration says that
TechStat has generated som
ings and cost avoidance s
The Dark Corners
Businesses have used IT
ment for years, and OMB lo
Restaurants, and Symant
plans for PortfolioStat. Va
post, writes that PortfolioS
the maturity of agencies IT
ment processes and give t
into the darkest corners of tfind wasteful and duplicativ
As part of the PortfolioSt
deputy secretaries or chief
are required to work with t
agency CIOs, CFOs, and ch
cers to sift through and find
portfolios. This level of exe
is a direct reflection of ou
strategic asset that can dra
productivity and the way
their mission, VanRoekel w
PortfolioStat sessions w
informationweek.com/government
THE SHARED-SERVICES ALTERNATIVE
White House Seeks To Root Out IT Duplication With Portfolio R
QuicktakesPrevious Next
Table of Contents
PortfolioStats 5-Step Process
>> PHASE 1 Provide high-level survey ofagencies IT portfolios.
>> PHASE 2 Develop action plan; consolidateduplicative systems and contracts.
>> PHASE 3 Conduct PortfolioStat review;identify next steps.
>> PHASE 4 Document cost savings,improvements gained through review.
>> PHASE 5 Share lessons learned for
continuous process improvement.
http://prevpage/http://prevpage/ -
7/31/2019 f e d e r a l g o v e r n m e n t c y b e r s e c u r i t y s u r v e y 2012
7/18
modity IT investments, redundant or duplicative
systems and services, and investments that are
poorly aligned to an agencys mission. OMB out-
lined a five-step process for the program, beginning
with baseline data gathering and concluding with
an assessment of lessons learned. The document
describing those processes provides deadlines for
specific objectives to be completed over the next
10 months.
In the early going, agencies must complete a survey
of their IT portfolios and a bureau-level information
request for specific types of commodity IT invest-
ments that will used in assessing the portfolios. That
review will be followed by one-hour PortfolioStat re-
view sessions, the first of which must be held by the
end of July. Those sessions are supposed to lead toconcrete next steps to rationalize an agencys IT
portfolio, according to the memo.
Agencies are required to create consolidation plans
for the commodity IT services they use, with final
plans by the end of August. PortfolioStat leaders are
to set targets for reducing spending on commodity
IT and demonstrate how IT portfolios align with
agency missions and business functions. By years
end, agencies are expected to transition two com-
modity IT areas, such as email, wireless services, or
productivity tools, to shared services or consolidated
purchasing. J. Nicholas Hoover([email protected])
informationweek.com/government
Previous Next
Table of Contents
Quicktakes
Without Building Your Identity Infrastructure o
Connect to the Cloud
Find out more at www.RadiantLogic.com1.877.727.6442
RadiantOne: One Identity Service for Al
If you were starting from scratch, hosting your identity in the cloud would be a company has many dierent authentication sources, including multiple Activ
and orests. For most enterprises, pushing this disparate inrastructure to
security and synchronization nightmare. Instead of uprooting your existing
need a simple, secure way to make it work with cloud-based applications. Radi
ederates your identity and delivers it as an on-premise service, giving you a
all your applications, whether theyre enterprise, web, or cloud-based. So yo
can authenticate users against the authoritative sources within your org
essential identity data doesnt walk the tightrope across your frewall every t
user accounts. Dont disrupt your infrastructureevolve your identity to encom
CopyRight 2012, Radiant LogiC, inC. aLL Rights ReseRved.
http://prevpage/http://prevpage/ -
7/31/2019 f e d e r a l g o v e r n m e n t c y b e r s e c u r i t y s u r v e y 2012
8/18
Eighteen months after its diplomatic cables
were exposed in the WikiLeaks breach, the
State Department continues to lock down its
confidential information, while using social
media to further its work in other ways.
State Department CIO Susan Swart, in an
interview with InformationWeekat the
agencys Washington, D.C., headquarters,
outlined steps under way to prevent any fur-ther data leaks. The State Department has
continued to enhance the security of our
classified data and systems post-WikiLeaks,
she said, adding that the department is play-
ing a lead role in the interagency response
to WikiLeaks that was launched last year by
presidential order.
The agency is deploying new security tech-
nology, including auditing and monitoring
tools on its classified networks and systems.
State has also begun tagging information with
metadata to enable role-based access to those
who need it, and is planning to implement
public key infrastructure on its classified sys-
tems by the summer of 2014.
Following the November 2010 WikiLeaks
breach, the State Department suspended
outside access to several of its classified in-
formation portals. Those por talsincluding
the Net Centric Diplomacy diplomatic report-
ing database, ClassNet classified websites,
and some SharePoint sitesremain largely
inaccessible or subject to restricted access
from other networks.
The agency has also improved its cybersecu-
rity training, and its working closely with the
Department of Homeland Security and the Na-tional Security Agency on cybersecurity issues.
Other Priorities
The departments other technology priorities
include IT consolidation, mobility, social media,
cloud computing, and improved IT gover-
nance, Swart said. The agency is also analyzing
the tech tools that are available to diplomats
and what more may be needed. Any additions
will have to be carried out within the context
of a lower IT budget. The White Houses pro-
posed budget for fiscal 2013 would decrease
IT spen
Department by 4.8%, to $1
One high priority is to con
affairs community onto a
known as the Foreign Affair
other federal agencies, the
consolidating data centers.
its going from 14 data cen
classified processing from
being done in a handful of
Under its eDiplomacy in
Department is ramping u
media and the Internet for
erations. The agency curr
ployees dedicated to the eusing the Web and other
tions technologies to furth
relations efforts.
Examples of the eDiplom
way include the departm
public social networks, exte
Note, an internal bloggin
known as Communities @
based collaborative ency
matic affairs called Diplope
on Wikipedia.
J. Nicholas Hoover
informationweek.com/government
SECURITY FIRST
State CIO Outlines
Post-WikiLeaks Steps
Quicktakes
Swart: Stahas enhan[
Previous Next
Table of Contents
http://prevpage/http://prevpage/ -
7/31/2019 f e d e r a l g o v e r n m e n t c y b e r s e c u r i t y s u r v e y 2012
9/18
Threats Vs. ReadineHacktivists and cybercriminals pose the greatest threats to federal
agencies. The feds are fighting back with continuous monitoring.
ybersecurity is the No. 1 priority of federal IT profes
shot. Thats been the key finding of InformationWe
ernment IT Priorities Survey each of the past two ye
have to look any further than the threats posed
LulzSec, or WikiLeaks to understand why.
What are the most dangerous cyberthreats? And ho
sponding? InformationWeek launched our 2012 Fed
Cybersecurity Survey to find out. Our poll of 106 f
volved in IT security for their organizations was condu
Table of Contents
Previous Next
informationweek.com/government
F E D E R A L G O V E R N M E N T C Y B E R S E C U R I T Y S U R V E Y
CBy Ed Moyle
and Diana Kelley
-
7/31/2019 f e d e r a l g o v e r n m e n t c y b e r s e c u r i t y s u r v e y 2012
10/18
asked respondents to rank the threats they face
and their readiness to deal with them. We in-
quired about cybersecurity spending and
where agencies are investing. And we probed
into the most significant challenges they face.
Our survey results show that organized cy-
bercriminals and hacktivists are viewed as the
greatest threats to IT security. At the same
time, government IT pros say theyre least pre-
pared for leaks that take place through social
media. And a crush of competing priorities is
the biggest challenge to effective execution.
The good news is that agencies feel theyve
made significant improvements in cybersecu-
rity. This is the perception of agencies them-
selves, as well as the assessment of govern-
ment evaluators charged with monitoringprogress under the Federal Information Sys-
tems Management Act (FISMA).
Despite the progress, attacks are on the rise,
and agencies must continue to bolster their
defenses. In a report to Congress published in
March on FISMA implementation in fiscal year
2011, the Office of Management and Budget
(OMB) disclosed that the number of computer
security incidents reported to the U.S. Com-
puter Emergency Readiness Team (US-CERT)
that impacted governmen
to 43,889. Longer term, fe
curity incidents have ris
years, according to a repo
by the Government Acco
CYBERSECURITY SURV
Table of Contents
informationweek.com/government
Which of these IT security and cybersecurity initiatives are most important to your agency?
Top Security Initiatives
Implementing continuous monitoring systems
Upgrading standard defenses (e.g., firewalls and antivirus)
Improving security of agency-issued mobile devices
Deploying intrusion-prevention capabilities
Implementing technologies and processes to thwart insider threats
Deploying PKI-based ID smart cards
Hiring and cultivating cybersecurity skills
Data: InformationWeek 2012 Federal Government Cybersecurity Survey of 106 federal government technology profe
35%
27%
25%
23%
18%
Previous Next
Get This AndAll Our Reports
Our full report on federal
cybersecurity is free withregistration. This report includes
26 pages of action-oriented
analysis, packed with 15 charts.
What youll find:
> The top cybersecurity prioritiesof federal agencies
> How FISMA compliance affects
cybersecurity planning
DownloadDownload
informationweek.com/government
http://prevpage/http://prevpage/ -
7/31/2019 f e d e r a l g o v e r n m e n t c y b e r s e c u r i t y s u r v e y 2012
11/18
explaining that increase, the GAO cited persistent
weaknesses in information security controls, due to
incomplete implementation of security programs.
So clearly, theres room for improvement in how
agencies prepare and respond. Step one is raising
awareness of cyberthreats and establishing an organi-
zational commitment to readiness. Its imperative thatan agencys top leadersnot just chief information se-
curity officers and their information assurance teams
get behind the effort. Steps to improve security include
meeting the FISMA requirements and also under-
standing the security implications of new technologies
such as virtualization and cloud computing.
Underscoring the urgency of cybersecurity, the White
House and Congress are both involved in national
planning. President Barack Obama called cyberthreats
one of the most serious economic and national secu-rity challenges we face as a nation, and there are two
security bills moving through Congress, the bipartisan
Cybersecurity Act of 2012 (S. 2105) and the GOP-spon-
sored Secure IT Act of 2012 (S. 2151).
A majority of federal IT pros feel theyre up to the
task. When asked about their overall state of cyberse-
curity readiness, 83% of survey respondents rate their
agencies as excellent or good.
But are they being overly confident, which could be
dangerous? According to OMBs report to Congress for
FY 2011 on FISMA policy compliance in several broad
areas, including continuous monitoring, trusted Inter-
[COVER STORY]CYBERSECURITY SURVEY
Table of Contents
informationweek.com/government
Previous Next
informationweek.com/government
Technology Solutions for Demanding E
PacStar, in partnership with networking leader Brocade, oers military an
customers robust information and communications solutions for todays
applications. Our certied engineers have the experience and sk ills requ
security, LAN switching/routing, voice integration, and wireless solutions
needs of today and tomorrow. We help agencies achieve their missions w
solutions based on proven technologies for use in the most demanding
For more information contact:Josh Furrer, Director of Sales
(503)403-3000 ext. 214
http://prevpage/http://prevpage/ -
7/31/2019 f e d e r a l g o v e r n m e n t c y b e r s e c u r i t y s u r v e y 2012
12/18
net connections, and implementation of iden-
tity smart cards under Homeland Security Pres-
idential Directive 12 (HSPD-12), agencies were
73% compliant in the areas measured, com-
pared with 55% in FY 2010. Thats progress, but
with room for improvement. The other side of
the story is 27% noncompliance.To cl ose the gap, a gencies are asking for
more funding for their cybersecurity initia-
tives. The Department of Homeland Security
requested $769 million for security initiatives
in its FY 2013 budget, a 60% increase over the
previous fiscal year. DHS seeks to establish
broader capabilities in network security, ex-
pand research and development, and add
support for enforcement of cybercrimes,
among other areas of investment.Our survey sheds light on spending plans
more broadly. A quarter of respondents say that
their agencies will increase cybersecurity spend-
ing by more than 5% in FY 2013, and another
29% indicate spending will rise by up to 5%.
On the other hand, cy-
bersecurity spending is
expected to be flat at
29% of agencies and de-crease at 9%, and thats
cause for concern. (Eight
percent didnt know or
declined to answer.) We understand that overall
IT budgets are flat or declining in many agen-
cies, putting pressure on all areas of investment.
But IT decision-makers must find ways to ade-
quately fund cybersecurity infrastructure, given
the trend toward continuous monitoring, the re-
quirements of FISMA, and the fact that cyberse-curity is the No. 1 IT priority across government.
FISMA Compliance
When it comes to what influences cyberse-
curity planning in agencies, FISMA is king. In
our survey, FISMA ranks a
cant influencing factor for
egy, just ahead of the cont
requirement and US-CERT,
curity incidents and the Ein
tection system.
As any information securtell you, FISMA hasnt been
critics argue it isnt making
cure. Youre drawing aw
whats important by tak
were focused on real secur
ing them instead on chec
Dave Amsler, president
ground Security.
The government has red
bureaucratic burden throuprocess for automating FIS
than 75% of the agencies r
fice of Management and
port can now provide aut
to CyberScope, compared
CYBERSECURITY SURV
Table of Contents
informationweek.com/government
Previous Next
NISTs Ross: Continuous
monitoring aims to reduce risk[
informationweek.com/government
http://prevpage/http://prevpage/ -
7/31/2019 f e d e r a l g o v e r n m e n t c y b e r s e c u r i t y s u r v e y 2012
13/18
demonstrated this capability a year earlier.
Even so, FISMA compliance fell for more than half of
24 agencies reviewed in the report, which assesses IT
security programs in 11 areas, including risk manage-
ment, configuration management, and identity and
access management. Only seven agencies achieved
more than 90% compliance in the areas measured.Eight agencies fell into the red zone in the report,
meaning they have less than 65% FISMA compliance.
The departments of Transportation, Interior, and Agri-
culture were at the bottom of the list. The Depart-
ment of Defense didnt provide enough detail on its
compliance levels to be included in the report.
Much work remains in satisfying the White Houses
cybersecurity priorities. As outlined in OMBs FISMA re-
port, the administrations top three priorities for FISMA
are continuous monitoring, logical access control (asspelled out in HSPD-12), and trusted Internet connec-
tions (TIC v2.0). The priority areas were selected based
on the overall impact they have on cybersecurity readi-
ness. Heres how plans to implement those three initia-
tives are shaping up, as reflected in our survey results.
Continuous Monitoring
Continuous monitoring is getting the lions share of
attention from agencies. The goal is to replace a
static, point in time view of an agencys information
security posture with near-real-time visibility into sys-
tem health. Its important not just because its re-
[COVER STORY]CYBERSECURITY SURVEY
Table of Contents
informationweek.com/government
Previous Next
informationweek.com/government
-
7/31/2019 f e d e r a l g o v e r n m e n t c y b e r s e c u r i t y s u r v e y 2012
14/18
quired under FISMA, but because it makes
good operational sense.
Continuous monitoring gets rated as the
top cybersecurity initiative in our survey, with
43% of respondents choosing it from a list of
10 possibilities. (Respondents were asked to
select their three most important initiatives.)That was followed by improvements to stan-
dard defenses (e.g., information security soft-
ware like firewalls and antivirus), identified by
41%, and mobile device security, at 35%.
This tells us that, while federal IT pros recog-
nize the importance of traditional security
controls and defenses, they also understand
they likely need to improve continuous moni-
toring. Continuous monitoring is largely about
managing risk, says Ron Ross, senior computer
scientist with the National Institute of Stan-
dards and Technology (NIST) and project
leader for the FISMA Implementation Project.
We start by looking at the risk assessment,based on what adversaries are doing that
might be a threat and impact the mission,
Ross says. The goal of continuous monitoring
is to attempt to evaluate the actual perform-
ance of the controls at reducing overall risk.
So agencies must understand the risks posed
to their systems and networks, and the moni-
toring plans they put in pla
on those risks and reduce t
sey, senior information sec
NIST and author of special p
Information Security Cont
For Federal Information Sy
zations, says that getting twrong can undermine con
efforts. Everything starts
agement framework, Dem
isnt right, everything that
be at issue. A good conti
framework will lead you to
ate control selection, and t
you to look for ways to mo
Whats good monitoring
standing a few things abcontrol: whether its functi
appropriate to the task at h
environment within whic
ates. For example, the p
federal law enforcemen
agencies have become f
Anonymous and LulzSec.
That leads IT to focus on
collect and not just what i
cies will look to automate
they shouldnt ignore that
formation might only be a
CYBERSECURITY SURV
Table of Contents
informationweek.com/government
Previous Next
10%
25%7%
58%
Whats Your Agencys Overall Cybersecurity Readiness?
Data: InformationWeek2012 Federal Government Cybersecurity Survey of 106 federal government technology professionals, March 2012
Excellent; appropriate systems,processes, and policies in place
Poor; necessary systems, processes,or policies are lacking
Dont know or decline to say
Good; some systems, processes,
or policies need updating
-
7/31/2019 f e d e r a l g o v e r n m e n t c y b e r s e c u r i t y s u r v e y 2012
15/18
manual collection process. Automated met-
rics may be more cost effective, but those
alone could leave you with an incomplete pic-
ture of the environment.
Pete Lindstrom, research director of Spire Se-
curity, warns about becoming slowed by data
overload. A jumble of arbitrary data without aframe of reference isnt monitoring; its white
noise, he says. A valuable metric is one that
tells us something about effectiveness of the
control, efficiency of operation, or both.
Continuous monitoring needs to be more
than just a distillation of what youre currently
collecting. Dave Shackleford, CTO of security
research firm IANS, recommends comprehen-
sive whitelisting (granting privileges to
trusted users or sites) and file integrity moni-
toring (keeping a close eye on changes to
server files). Monitoring things like antivirus
and host-based IDS has some merit but hasproven ineffective in countering the more ad-
vanced threats seen today, Shackleford says.
HSPD-12: Tackling Identity Management
Recognizing that a single, trusted source
of user identity information is critical to in-
formation security, HSP
bring a unified identity m
egy to federal governmen
quires that all agencies m
robust credential: a Perso
cation (PIV) smart card
used for digital signaturetication. In our survey, 23
identify deployment of P
cards as one of their top t
initiatives.
Th e spec if ics of th e p
cards are outlined in a W
issued in February, titled
mentation of HSPD-12
mon Identification Standa
ployees And Contractorsshould at least have a pl
ceed, particularly as it rela
tion of physical and logica
tems, a key tenet of th
identity management pla
According to the Offic
and Budgets FISMA repo
employees and contract
sonal Identity Verificatio
have them. Moreover, 66
user accounts are configu
cards to authenticate to a
CYBERSECURITY SURV
Table of Contents
informationweek.com/government
Previous Next
informationweek.com/government
4%4%
6%
8%
31%
2%
10%
35%
Whats The Most Significant Challenge To IT Security At Your Agency?
Data: InformationWeek 2012 Federal Government Cybersecurity Survey of 106 federal government technology professionals, March 2012
Competing priorities and other initiatives
Lack of clear standards
Lack of top-level direction and leadership
Reliance on vendors for aspects of securityLack of technical solutions
Other
Complexity of the internal environment
Resource constraints
http://prevpage/http://prevpage/ -
7/31/2019 f e d e r a l g o v e r n m e n t c y b e r s e c u r i t y s u r v e y 2012
16/18
up from 55% in fiscal year 2010. Its progress,
but the jobs not done.
Trusted Internet Connections
The third of the White Houses cybersecurity
priorities is consolidating traffic under the
trusted Internet connections initiative, whichaims to consolidate and apply baseline security
measures to external network connections, in-
cluding the Internet. Such controls include net-
work filtering and other capabilities, such as
the National Cybersecurity Protection Systems
Einstein 2 incident monitoring. That capability
is being updated in Einstein 3, which adds real-
time packet inspection and applies predefined
signatures for threat detection.
TIC should be on every agencys radar at leastuntil September, the next critical milestone. By
then, all TIC Access Providersdesignated
agencies that provide TIC services to other
agenciesmust be 100% compliant with the
TIC v2.0 reference architecture. Other agencies
must achieve TIC v2.0 capabilities by that same
date through use of an approved and accred-
ited TICAP for all external connections.
Not Ready For Social And Mobile
InformationWeeks 2012 Federal Govern-
ment Cybersecurity Survey shows that agen-
cies are least prepared for some of the newest
threats. When asked to rate their level of readi-
ness, respondents give some of their lowest
scores to leaks through social media (with
28% completely or somewhat unprepared)
and unsecured mobile devices (18% com-
pletely or somewhat unprepared).
Federal IT managers are racing to get
ahead of those risks. The
ample, recently warned
that geotagging photos o
other social media coul
units location. And the
Agency, the Departmen
civilian agencies are eva
cure mobile devices, as
CYBERSECURITY SURV
Table of Contents
informationweek.com/government
Previous Next
Whats your agencys level of preparedness for these attacks?
Ready For Attack
Malware and spyware
Phishing attacks on agency employees
DDoS
Cyberattack by foreign governments
Zero-day exploits
Leaks through service providers or partners
Insider threats
Unsecured mobile devices
Leaks through social media
Data: InformationWeek2012 Federal Government Cybersecurity Survey of 106 federal government technology prof
4.0
3.9
3.9
3.7
3.7
3.5
3.4
3.2
1 Completely unprepared
informationweek.com/government
http://prevpage/http://prevpage/ -
7/31/2019 f e d e r a l g o v e r n m e n t c y b e r s e c u r i t y s u r v e y 2012
17/18
look to use them in their daily work.
We also asked respondents to rank threats,
from greatest to lowest. Topping the list are
organized cybercriminals and hacktivists, a re-
flection of the emergence of groups such as
Anonymous and LulzSec, which have
launched denial-of-service attacks againstsome federal agencies. Insider threats rank
second, followed by foreign states.
Gen. Keith Alexander, director of the Na-
tional Security Agency and head of the U.S.
Cyber Command, testified before Congress in
March on the emergence of China as one
such threat. China is stealing a great deal of
military-related intellectual property from
the United States and was responsible for last
years attacks against RSA, Alexander told theSenate Armed Services Committee. We need
to make it more difficult for the Chinese to do
what theyre doing, he said.
In terms of tools and technologies for es-
tablishing cybersecurity, the most widely de-
ployed are workaday controls like firewalls
(used by 96% of respondents), antivirus soft-
ware (94%), anti-spyware software (93%),
and VPNs (91%). Mobile device security
(70%) and cloud services security (52%) are
lower on the list of in-use technologies, but
theyre the two that will be most in demand
as first-time security technologies in FY 2013.
Both illustrate the evolving nature of cyber-security requirements, as new technologies
are brought into the workplace, forcing se-
curity teams to respond.
When asked about the most significant
challenge to their IT security efforts, survey re-
spondents point first to a familiar problem
too many competing priorities and other ini-
tiatives, cited by 35%. Thats followed closely
by a second, equally familiar issue, resource
constraints (31%).
Notably, technology itself doesnt seem to be
much of a problem. Only 4% of survey respon-
dents cite lack of technical
gle biggest challenge to theAgencies can ease the r
redirecting funds from lo
tives toward their cybersec
the emphasis that IT pro
place on cybersecurity, an
ing paid by the White Hou
would seem that when t
should be a budget.
Ed Moyle is a senior security strateg
Kelley is a security adviser and co
CYBERSECURITY SURVPrevious Next
Table of Contents
informationweek.com/government
2%8%
7%25%
29%
29%
How Will Cybersecurity Spending Change In Fiscal Year 2013?
Data: InformationWeek 2012 Federal Government Cybersecurity Survey of 106 federal government technology profe
Increase more than 5
Increase 1% to 5%
Decrease 1% to 5%
Decrease more than 5%
Dont know or decline to say
Stay the same
http://prevpage/http://prevpage/http://prevpage/ -
7/31/2019 f e d e r a l g o v e r n m e n t c y b e r s e c u r i t y s u r v e y 2012
18/18
READER SERV
InformationWeek
The destination fo
government, and i
Electronic Newsle
InformationWeek D
informationweek.co
Events Get the lat
events at informat
Reports reports.in
for original researc
How to Contact U
informationweek.c
Editorial Calenda
Back Issues
E-mail: customerse
Phone: 888-664-33
847-763-9588 (Ou
Reprints Wrights
Web:wrightsmedia.
E-mail: ubmreprint
List Rentals Speci
E-mail: PeterCan@Phone: (631) 787-3
Media Kits and Ad
createyournextcus
Letters to the Edit
iwletters@techweb
company, city, and
Subscriptions
Web: informationw
E-mail: customerse
Phone: 888-664-33
847-763-9588 (Ou
Executive VP of Group Sales, InformationWeek
Business Technology Network, Martha Schwartz
(212) 600-3015,[email protected]
Sales Assistant, Salvatore Silletti
(212) 600-3327,[email protected]
SALES CONTACTSWESTWestern U.S.(Pacific and Mountain states) and Western
Canada (British Columbia, Alberta)
Western Regional Director, JohnHenry Giddings
(415) 947-6237,[email protected] Account Director, Mark Glasner
(415) 947-6245,[email protected]
Account Manager, Kevin Bennett
(415) 947-6139,[email protected]
Account Manager, Ashley Cohen
(415) 947-6349,[email protected]
Strategic Accounts
Account Director, Sandra Kupiec
(415) 947-6922,[email protected]
SALES CONTACTSEAST
Midwest, South, Northeast U.S.and Eastern Canada
(Saskatchewan, Ontario, Quebec, New Brunswick)
District Manager, Jenny Hanna
(516) 562-5116,[email protected] Manager, Michael Greenhut
(516) 562-5044,[email protected]
District Manager, Cori Gordon(516) 562-5181,[email protected]
Inside Sales Manager East, Ray Capitelli(212) 600-3045,[email protected]
Strategic Accounts
District Manager, Mary Hyland(516) 562-5120,[email protected]
Account Manager, Tara Bradeen(212) 600-3387,[email protected]
SALES CONTACTSMARKETINGAS A SERVICEDirector of Client Marketing Strategy,Jonathan Vlock(212) 600-3019,[email protected]
Director of Client Marketing Strategy,Julie Supinski(415) 947-6887,[email protected]
SALES CONTACTSEVENTSSenior Director,InformationWeek Events,Robyn Duda(212) 600-3046,[email protected]
MARKETINGVP, Marketing, Winnie Ng-Schuchman(631) 406-6507,[email protected]
Director of Marketing, Angela Lee-Moll
(516) 562-5803,[email protected] Marketing Manager, Monique Kakegawa(949) 223-3609,[email protected]
UBM TECHWEBTony L. Uphoff CEO
John Dennehy CFO
David Michael CIO
Scott Vaughan CMO
David Berlind Chief Content Officer,
TechWeb, and Editor in Chief, TechWeb.com
Ed Grossman Executive VP, InformationWeek
Business Technology Network
Martha Schwartz Executive VP of Group Sales,
InformationWeek Business Technology Network
Joseph Brau Sr.VP, Light Reading
Communications Network
Beth Rivera Senior VP, Human Resources
John Ecke VP of Brand and Product Development,
InformationWeek Business Technology Network
Fritz Nelson VP, Editorial Director,
InformationWeek Business Technology
Network, and Executive Producer, TechWeb TV
UBM LLCPat Nohilly Sr.VP, Strategic Development
and Business Admin.
Marie Myers Sr.VP, Manufacturing
Rob Preston VP and Editor In Chief
[email protected] 516-562-5692
Lorna Garey Content Director, Reports
[email protected] 978-694-1681
Sek Leung Associate Art Director
Chris Murphy Editor
[email protected] 414-906-5331
Jim Donahue Chief Copy Editor
Stacey Peterson Executive Editor, Quality
[email protected] 516-562-5933
Mary Ellen Forte Senior Art Director
Business Contacts
John Foley Editor, InformationWeek Government
[email protected] 516-562-7189
J. Nicholas HooverSenior Editor
[email protected] 516-562-5032
Online, Newsletters, Events, ResearchPrevious Next
informationweek.com/government
Copyright2012UBMLLC.All r
Table of Contents
http://prevpage/http://prevpage/