Discussion 1 needed

profileJohn_matt
week_1_reading.pdf

ANNUAL REPORT TO CONGRESS:

FEDERAL INFORMATION SECURITY MANAGEMENT ACT

OFFICE OF MANAGEMENT AND BUDGET

February 27, 2015

TABLE OF CONTENTS

INTRODUCTION: FEDERAL CYBERSECURITY YEAR IN REVIEW ................................................. 6

SECTION I: STRENGTHENING FEDERAL CYBERSECURITY ........................................................... 9

A. Federal Government Programs Designed to Combat Growing Threats ........................................... 9

B. OMB’s Role in Federal Cybersecurity ............................................................................................ 12

SECTION II: STATE OF FEDERAL CYBERSECURITY ....................................................................... 14

A. FY 2014 Cybersecurity Incidents ................................................................................................... 14

B. Agency Cybersecurity CAP Goal Performance .............................................................................. 18

C. E-Gov Cyber Strong Authentication Analysis ................................................................................ 23

SECTION III: SUMMARY OF INSPECTORS GENERAL’S FINDINGS .............................................. 26

SECTION IV: PROGRESS IN MEETING KEY PRIVACY PERFORMANCE MEASURES ................ 31

SECTION V: APPENDICES ..................................................................................................................... 35

Appendix 1: NIST Performance in FY 2014 .......................................................................................... 35

Appendix 2: Security Incidents by CFO Act Agency ............................................................................. 36

Appendix 3: FY 2014 CAP & Key FISMA Metric Details .................................................................... 49

Appendix 4: IT Security Spending Reported by CFO Act Agencies ...................................................... 81

Appendix 5: Inspectors General's Response ........................................................................................... 84

Appendix 6: List of CFO Act Agencies .................................................................................................. 96

Appendix 7: List of Non-CFO Act Agencies Reporting to CyberScope ................................................ 97

END NOTES .............................................................................................................................................. 99

ANNUAL REPORT TO CONGRESS: FEBRUARY 27, 2015 6

INTRODUCTION: FEDERAL CYBERSECURITY YEAR IN REVIEW

As cyber threats continue to evolve, the Federal Government is embarking on a number of initiatives to protect Federal information and assets and improve the resilience of Federal networks. OMB, in coordination with its partners at the National Security Council (NSC), the Department of Homeland Security (DHS), and other agencies, helps drive these efforts in its role overseeing the implementation of programs to combat cyber vulnerabilities and threats to Federal systems. Today, as required by the Federal Information Security Management Act of 2002 (FISMA), OMB is sending to Congress the annual report that tracks the progress of our efforts while also identifying areas of needed improvement.

Agencies take a number of actions to protect government networks and information, implementing tools and policies in order to mitigate potential risks. The fiscal year (FY) 2014 FISMA report provides metrics on Federal cybersecurity incidents, the efforts being undertaken to mitigate them and prevent future incidents, and agency progress in implementing cybersecurity policies and programs to protect their networks. FY 2014 proved to be a year of continued progress toward the Administration’s Cybersecurity Cross Agency Priority (CAP) Goal, which requires agencies to “Know Your Network” (Information Security Continuous Monitoring), “Know Your Users” (Strong Authentication), and “Know Your Traffic” (Trusted Internet Connection Consolidation and Capabilities).

• Know Your Network – Agency performance implementing Information Security Continuous Monitoring (ISCM) improved from 81% in FY 2013 to 92% in FY 2014. This means that agencies have improved implementation of Asset, Configuration, and Vulnerability Management tools and practices to better manage cyber vulnerabilities when they arise.

• Know Your Users – Implementation of Strong Authentication has seen a total increase from 67% in FY 2013 to 72% in FY 2014. This means that an increasing number of agencies require their users to log-on to networks with unique Personal Identity Verification (PIV) cards, instead of other less secure means of identification and authentication.

• Know Your Traffic – Agencies achieved the CAP goal of 95% of external network traffic passing through a TIC or Managed Trusted Internet Protocol Services (MTIPS) provider, and implementation of TIC 2.0 capabilities rose from 87% in FY 2013 to 92% in FY 2014. This means that an increasing amount of agency internet traffic passes through trusted internet connections and that agencies are deploying common controls to improve cybersecurity.

Additionally, DHS has continued implementation of key vulnerability and threat prevention

initiatives. Under the Continuous Diagnostics and Mitigation (CDM) program, agencies have procured over 1.7 million licenses for asset, configuration, and vulnerability management tools. The President’s FY 2016 Budget also invests $582 million to drive continued progress through CDM and EINSTEIN to enable agencies to detect and prevent evolving cyber threats. Moreover, EINSTEIN, an intrusion detection and prevention system, is being deployed to provide agencies with an early warning system, and improved situational awareness of emerging threats.

We have seen notable progress by Federal agencies, but there is work to be done. Fiscal Year 2014, in

particular, was a pivotal year for Federal cybersecurity, marked by sophisticated threat activity and vulnerabilities. Federal agencies reported nearly 70,000 information security incidents in FY 2014, up 15% from FY 2013. Strong Authentication remains a key challenge. Although overall Strong Authentication implementation reached 72% in FY 2014, this number is partially buoyed by the size and strong performance of the Department of Defense (DOD). When removing DOD from the calculation,

7 FEDERAL INFORMATION SECURITY MANAGEMENT ACT

only 41% of civilian CFO Act agencies implemented the use of Strong Authentication for network access in FY 2014. Yet still, agencies are demonstrating a commitment (and even significant progress) to improving in this area. The Department of Commerce (Commerce) saw a dramatic increase in the use of Strong Authentication from 30% to 88% as compared to FY 2013, while the Environmental Protection Agency (EPA) jumped from 0% to 69%.

And we are already taking steps to ensure every CFO Act agency implements Administration priorities to advance the overall state of cybersecurity. For example, last fall OMB issued guidance establishing a new process for DHS to conduct regular and proactive scans of Federal civilian agency networks to enable faster and more comprehensive responses to major cybersecurity vulnerabilities and incidents. We will be able to gauge the progress of this measure in the annual FY 2015 FISMA report. OMB also launched a dedicated cybersecurity unit within the Office of E-Government & Information Technology (E-Gov Cyber) to drive accelerated agency adoption of Administration priorities through:

o Data-driven, risk-based oversight of agency and government-wide cybersecurity programs; o Issuance and implementation of Federal cybersecurity policies consistent with emerging

technologies and evolving cyber threats; o Oversight and coordination of the Federal response to major cyber incidents and vulnerabilities to

ensure appropriate mitigation strategies are implemented effectively; and, o Coordination and engagement with NSC staff, DHS, the National Institute of Standards and

Technology (NIST), Congress, and other key stakeholders to modernize and implement relevant cybersecurity statutes.

In FY 2015, OMB E-Gov Cyber will drive accelerated agency adoption of Administration priorities and industry best practices as a means of improving the Federal cybersecurity posture.

These and other initiatives are described in detail throughout this report, which covers the period

from October 1, 2013, to September 30, 2014. The report is organized as follows:

Section I: Strengthening Federal Cybersecurity

Describes the efforts undertaken to protect existing and emerging government data and information technology (IT) assets and the role OMB plays in Federal cybersecurity efforts. Section II: State of Federal Cybersecurity

Identifies agency performance against cybersecurity metrics and OMB’s assessment of that performance. Section III: Summary of Inspectors General's Findings

Provides an overview of the assessments of agency inspectors general (IG) regarding agency information security programs. Section IV: Progress in Meeting Key Privacy Performance Measures

Provides an overview of the agency progress made in implementing steps to analyze and address privacy issues. Section V: Appendices

Appendix 1: NIST Performance in 2014

ANNUAL REPORT TO CONGRESS: FEBRUARY 27, 2015 8

Appendix 2: Security Incidents by CFO Act Agency

Appendix 3: FY 2014 CAP & Key FISMA Metric Details

Appendix 4: Information Security Spending Reported by CFO Act Agencies

Appendix 5: Inspectors General’s Response

Appendix 6: List of CFO Act Agencies

Appendix 7: List of Non-CFO Act Agencies Reporting to CyberScope

9 FEDERAL INFORMATION SECURITY MANAGEMENT ACT

SECTION I: STRENGTHENING FEDERAL CYBERSECURITY

The Federal Government is currently facing an evolving cybersecurity landscape. According to data reported to US-CERT, and described in more detail in Section II, Phishing and Malicious Code continue to present threats to both the Federal Government and public at large. These increasingly sophisticated attacks take advantage of flaws in software code or use exploits that can circumvent signature-based tools that commonly identify and prevent known threats. Far too often, adversaries are able to employ social engineering techniques designed to trick the unsuspecting user to open a malicious link or attachment thereby giving the attacker direct access to Federal information and information systems. The following section describes how the Federal Government is addressing these and other cyber threats.

A. FEDERAL GOVERNMENT PROGRAMS DESIGNED TO COMBAT GROWING THREATS

The Federal Government relies on a variety of initiatives to ensure the continued protection of

Federal information and information systems. First, FISMA requires agencies to maintain an information security program commensurate with their risk profile. For instance, agencies are responsible for assessing and authorizing information systems to operate within their own networks and for determining what users have the authority to access agency information. Second, DHS is the operational lead for Federal civilian cybersecurity, and as such, executes a number of protection programs on behalf of the Government. Third, NIST issues and updates security standards and guidelines for information systems utilized by Federal agencies. Finally, OMB, in partnership with NSC staff and DHS, oversees the successful implementation of agency-specific and government-wide cybersecurity programs.

OMB’s oversight efforts focus, among other evaluation criteria, on measuring agency performance

against the Cybersecurity CAP Goal. As described in more detail in Section II, the Cybersecurity CAP Goal was designed to assess agency implementation of basic cybersecurity principles to ensure a common Federal baseline for combating cyber threats. Section II of this report describes the performance of agency-specific cybersecurity programs, including those that fall under both the CAP goal and key FISMA metrics. The remainder of this section highlights select government-wide cybersecurity programs and OMB’s role in Federal cybersecurity. It is important to note that the following programs are some of the most critical, but do not represent the universe of Federal cybersecurity initiatives.

Government-wide Programs Administered by DHS

As described above, DHS is the operational lead for Federal civilian cybersecurity and is responsible

for deploying key programs that, when fully implemented, will provide agencies with strong protection against emerging threats. The two most critical programs are:

• Continuous Diagnostics & Mitigation; and

• National Cybersecurity Protection System (EINSTEIN).

Continuous Diagnostics & Mitigation

Per OMB Memorandum 14-03, “Ensuring the Security of Federal Information and Information Systems,” DHS, in partnership with OMB and NSC staff, operates the Continuous Diagnostics & Mitigation (CDM) program. Under CDM, DHS works with the General Services Administration (GSA)

ANNUAL REPORT TO CONGRESS: FEBRUARY 27, 2015 10

to establish and fund government-wide Blanket Purchase Agreements (BPA) used to provide Federal agencies a basic set of tools to support the continuous monitoring of information systems. Among these tools will be agency dashboards with customizable report functions and a Federal enterprise-wide dashboard that will allow DHS to improve its response to cyber threats. Once fully implemented, CDM will enable agencies to identify and respond, in near real-time, to cybersecurity challenges.

The rollout of CDM is organized into three phases designed to allow agencies to implement CDM in

a consistent manner that demonstrates measureable cybersecurity results and leverages strategic sourcing to achieve cost savings. Phase One of CDM focuses on endpoint integrity and device management. Specifically, this phase encompasses the management of hardware and software assets, configuration management, and vulnerability management. These capabilities form an essential foundation on which the rest of CDM will build. As of the end of FY 2014, over 1.7 million licenses for these security monitoring tools and products had been purchased and distributed to agencies. This marked a major step in the implementation of CDM and demonstrated the efficiency of the BPA, which achieved $26 million in cost-avoidance when compared to the GSA General Schedule. Phase Two will focus on monitoring attributes of the authorized users operating in an agency’s computing environment. This includes the individual’s security clearance or suitability, security related training, and any privileged access they may possess. Phase Three will focus on boundary protection and response to cyber incidents and vulnerabilities. These capabilities will include audit and event detection/response, status of encryption, remote access, and access control of the environment.

National Cybersecurity Protection System (EINSTEIN)

The goal of the National Cybersecurity Protection System (EINSTEIN) is to provide the Federal Government with an early warning system, improved situational awareness of intrusion threats to Federal Executive Branch civilian networks, near real-time identification of malicious cyber activity, and prevention of that malicious cyber activity. Following widespread deployment of EINSTEIN 2, a passive intrusion detection system that issues alerts when threats are detected, DHS has begun deploying EINSTEIN 3 Accelerated (E3A), which will provide agencies an intrusion prevention capability with the ability to block and disable attempted intrusions before harm is done. By contracting with major Internet Service Providers (ISPs), the initial deployment of E3A is focused on countermeasures that will address approximately 85% of the cybersecurity threats affecting the Federal civilian networks. To date, the DHS Office of Cybersecurity and Communications has deployed E3A at seven departments and agencies. For FY 2015, DHS will continue this progress and build on experiences gained in FY 2014 to maintain positive momentum in providing advanced intrusion detection capabilities for government systems.

Additional Government-wide Programs Administered by Agencies

Facilitating Mobile Security In FY 2014, NIST issued a series of guidelines to assist organizations in managing risks associated

with the increased use of mobile devices, of which there are 4,171,168. In August 2014, NIST issued Draft Special Publication (SP) 800-163, “Draft Technical Considerations for Vetting 3rd Party Mobile Applications” to provide guidance for vetting 3rd party software applications (apps) for mobile devices. Mobile app vetting is intended to assess a mobile application’s operational characteristics of secure behavior and reliability, including performance, so that organizations can determine if the app is acceptable for use in their expected environment. The draft SP provides key technical software assurance considerations for organizations as they adopt mobile app vetting processes.

NIST also issued SP 800-101 Revision 1, “Guidelines on Mobile Device Forensics,” to provide

basic information on mobile forensics tools and the preservation, acquisition, examination, analysis, and

11 FEDERAL INFORMATION SECURITY MANAGEMENT ACT

reporting of digital evidence present on mobile devices. Additionally, NIST released Revision 1 of SP 800-157, “Guidelines for Derived Personal Identity Verification (PIV) Credentials.” SP 800-157 defines a technical specification for implementing and deploying derived PIV credentials to mobile devices, such as smart phones and tablets. The goal of the derived PIV credential is to provide PIV-enabled authentication services from mobile devices to authenticate to remote systems. Along with SP 800-157, NIST published Draft NIST Interagency Report (NISTIR) 7981, “Mobile, PIV, and Authentication,” which provides an analysis and summary of various current and near-term options for remote authentication with mobile devices that leverage the investment in the PIV infrastructure and the unique security capabilities of mobile devices.

FedRAMP and the Safe, Secure Adoption of Cloud

To accelerate the adoption of cloud computing solutions across the Federal Government, on December 8, 2011, the Federal Chief Information Officer (CIO) published the “Security Authorization of Information Systems in Cloud Computing Environments” policy memorandum. This memorandum formally established the Federal Risk and Authorization Management Program (FedRAMP), a process that replaced the varied and duplicative cloud service assessment procedures across government by providing agencies with a standard approach. The approach is based on an accepted set of baseline security controls and consistent processes that have been vetted and agreed upon by agencies across the Federal Government. The memorandum established roles and responsibilities, implementation timelines, and requirements for agency compliance, including that all low and moderate impact cloud services leveraged by more than one office or agency comply with FedRAMP requirements.

In FY 2014, FedRAMP issued four Provisional Authorizations and six Agency Authorizations to

Cloud Service Providers (CSP). A Provisional Authorization is an initial statement of risk and approval of an authorization package pending the issuance of a final authorization to operate by the agency acquiring the cloud service (Agency Authorization). Twenty-six agencies have reported using FedRAMP provisionally authorized packages, and agencies have reported a total of 81 systems as being FedRAMP compliant. In FY 2015, FedRAMP will pursue three main goals: (1) increase compliance and agency participation in FedRAMP; (2) improve the efficiency of the program by streamlining processes and other internal improvements; and (3) continue to adapt as the fast-moving landscape of securing cloud technology evolves.

National Strategy for Trusted Identities in Cyberspace (NSTIC) and Connect.gov In response to demand for improved digital identification from the private sector, government, and

the general public, the Administration released the “National Strategy for Trusted Identities in Cyberspace” (NSTIC) in April 2011. The NSTIC calls for public-private collaboration to create an Identity Ecosystem – a marketplace of more secure, convenient, interoperable, and privacy-enhancing solutions for online authentication and identification. The NSTIC outlines an approach for the Executive Branch to catalyze and facilitate the private sector’s development of this online identity environment. This environment will allow individuals and organizations to utilize secure, efficient, easy-to-use, and interoperable identity solutions to access online services in a manner that promotes confidence, privacy, choice, and innovation.

In support of NSTIC, the United States Postal Service (USPS) and the General Services

Administration (GSA) are administering Connect.gov (formerly known as the Federal Cloud Credential Exchange). Connect.gov is a secure, privacy-enhancing cloud service that conveniently connects individuals to online government services using an approved digital credential individuals may already possess and trust. Traditionally, individuals seeking to do business with the Federal Government had to

ANNUAL REPORT TO CONGRESS: FEBRUARY 27, 2015 12

create agency-specific user names and passwords to access information online. Connect.gov allows an individual to access these same Government websites and services by signing

in with a third-party credential whose identity services have been approved by GSA’s Federal Identity, Credential, and Access Management (FICAM) Trust Framework Solutions program. This will eliminate the need for consumers to maintain multiple logins for government agencies, and will enable government to more effectively serve people through a wide array of new citizen-facing applications. In FY 2014, Connect.gov entered an operational pilot with the Department of Veterans Affairs (VA), the Department of Agriculture (USDA), and NIST to allow consumers to access internet applications using a digital credential issued by a government certified provider. Moving forward, Connect.gov will continue to integrate additional agencies and enter full operating capacity in FY 2015.

B. OMB’S ROLE IN FEDERAL CYBERSECURITY

Per FISMA, OMB E-Gov, under the direction of the Federal CIO, has possessed oversight responsibilities for Federal cybersecurity policy and implementation. As the need for greater coordination across government has grown to keep paces with increasing threats, OMB has increased its role in the process. This involvement has been multifaceted, ranging from overseeing the Federal response to cyber events like the Heartbleed and Bash vulnerabilities, to holding agency leadership accountable for cybersecurity performance through the PortfolioStat1 and CyberStat initiatives.2 Due to the rapidly evolving threat landscape and commitment by Congress to improve Federal cybersecurity, OMB recently created a dedicated unit within OMB E-Gov, the Cyber and National Security Unit (E-Gov Cyber), which will focus on strengthening Federal cybersecurity through targeted oversight and policy issuance.

E-Gov Cyber was made possible by Congress’s continued commitment to improving Federal

cybersecurity. Initially in FY 2014 and again in FY 2015, Congress provided OMB resources for improved cybersecurity oversight and analytics through the Information Technology Oversight and Reform (ITOR) fund.3 E-Gov Cyber will focus on the following strategic objectives with its partners, the National Security Council (NSC) staff, DHS, and NIST:

• Data-driven, risk-based oversight of agency and government-wide cybersecurity programs;

• Issuance and implementation of Federal cybersecurity policies consistent with emerging

technologies and evolving cyber threats;

• Oversight and coordination of the Federal response to major cyber incidents and vulnerabilities to ensure appropriate mitigation strategies are effectively implemented; and

• Engagement with key stakeholders to modernize relevant cybersecurity statutes. In FY 2015, E-Gov Cyber will target oversight through CyberStat reviews based on agencies with

high risk factors, as determined by cybersecurity performance and incident data. Through increased resources, OMB will be able to ensure that these reviews help equip agencies with the proper tools and processes to enhance their cybersecurity capabilities. The unit will remain focused on ensuring successful DHS implementation of critical programs such as the National Cybersecurity Protection System (NCPS) and Continuous Diagnostics & Mitigation (CDM). Lastly, E-Gov Cyber will enhance OMB’s ability to issue and update long standing Federal cybersecurity guidance, such as Circular A-130, to ensure agencies have the best practices and techniques at their disposal.

Persistent cyber threats remain a challenge for the Federal Government. Through the efforts

13 FEDERAL INFORMATION SECURITY MANAGEMENT ACT

described above, E-Gov Cyber will facilitate coordinated protection, response mechanisms, and close collaboration between Federal cybersecurity partners, the Government will be able to better mitigate the impact of attacks when they occur, so agencies can focus on successful mission execution.

ANNUAL REPORT TO CONGRESS: FEBRUARY 27, 2015 14

SECTION II: STATE OF FEDERAL CYBERSECURITY

Section II of this report describes the current state of Federal cybersecurity. The section identifies FY 2014 agency-reported cybersecurity incident information, highlights specific initiatives the Federal Government is implementing to address these incidents, and provides a review of agency performance against these initiatives. Additionally, for the first time, E-Gov Cyber has provided specific analysis regarding agency performance against Strong Authentication goals. E-Gov Cyber’s analysis indicates that nearly a third of Federal incidents are related to or could have been prevented by Strong Authentication implementation. This section concludes with an identification of next steps to address these challenges. Additional information on agency performance against cybersecurity initiatives and metrics can be found in Appendix 3: FY 2014 CAP and FISMA Key Metrics Details.

A. FY 2014 CYBERSECURITY INCIDENTS

US-CERT receives computer security incident reports from the Federal Government, state and local governments, commercial enterprises, U.S. citizens, and international Computer Security Incident Response Teams (CSIRTs).4 A computer security incident within the Federal Government is defined by NIST and US-CERT as a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices. In accordance with Section 301 § 3544 of the E- Government Act of 2002, as well as additional requirements described in the Updated DHS US-CERT Incident Notification Guidelines subsection below, Federal agencies are required to notify US-CERT through the US-CERT Incident Reporting System upon the discovery of a computer security incident. The total number of computer security incidents for each group can be found in Table 1 below.

Table 1: Incidents Reported to US-CERT in FY 2014

Reporting Source Total Number of Incident Reports Federal Government Total 69,851 …