As a number of crippling breaches have illustrated, federal government agencies and departments are frequent targets in today’s advanced attacks. The White House’s Office of Management and Budget (OMB), in partnership with the Department of Homeland Security (DHS), recently conducted a cyber risk assessment of 96 agencies across 76 metrics to measure their cyber security postures. The resulting report, “Federal Cybersecurity Risk Determination Report and Action Plan,” paints a bleak picture, indicating that 74 percent of agencies are either “At Risk” or “High Risk.” This underscores the urgent need for change.
The report identifies four key areas where agencies struggle:
- Agencies neither understand nor have the resources to combat the current threat environment. The report finds that despite high-profile and crippling attacks, such as the U.S. Office of Personnel Management (OPM) breach, the “ability to determine threat actors’ motivations and methods for staging cyber attacks has not improved.” In fact, the report reveals that visibility or “situational awareness” is so limited that agencies could not identify the method of attack, or attack vector, in 38 percent of cyber incidents that led to information or system compromise in 2016.
- Lack of standardized cyber security processes and IT capabilities, impacts the ability to efficiently gain visibility and combat threats. When it comes to managing privileged access to critical information and systems, the report indicates that only 55 percent of agencies limit access based on user attributes and roles—and only 57 percent review and track administrative privileges at all. This is particularly troubling, since privileged accounts provide access to these organizations’ most critical cyber infrastructure and sensitive information.
- Lack of visibility into what is happening on the network and the inability to detect data exfiltration. Only 27 percent of agencies reported having the ability to detect and investigate attempts to access large volumes of data—and even fewer test these capabilities annually. In other words, just one in four agencies can identify data exfiltration attempts at all. Further, the assessment found that only 30 percent of agencies have predictable, enterprise-wide incident response processes in place.
- No standardized or enterprise-wide processes for managing cyber security risks. The report notes, “Agencies possess neither robust risk management programs nor consistent methods for notifying leadership of cyber security risks.” It also indicates that less than 16 percent of agencies achieved the government-wide target for encrypting data at rest, despite “repeated calls from industry leaders, GAO and privacy advocates to make more robust use of data-level protections, including the encryption of data both at rest.”
Along with greater accountability, increased awareness and consolidation/ standardization of security resources to enhance efficiencies, the report’s recommendations include implementation of existing government guidelines and frameworks, such as FISMA/NIST SP800-53, NERC – CIP, HSPD-12 and the Department of Homeland Security CDM Program. Due to the powerful, unfettered access privileged accounts provide, privileged account protection and threat detection are at the center of many of these requirements.
Though this report includes sobering statistics, significant progress is possible. Agencies must first clearly understand their cyber security responsibilities tied to these existing frameworks. From there, they should thoroughly assess their current cyber security tools and processes, looking for ways to optimize them to address these requirements.
But they don’t have to go it alone. CyberArk is the recognized leader in protecting privileged access, and we have multiple Department of Defense customers and installations of the CyberArk Privileged Access Security Solution across the U.S. Federal Government in on-premises, cloud and ICS environments, and throughout the DevOps pipeline.
Many large-scale deployments in distributed and virtual environments are based on the CyberArk Privileged Access Security Hygiene Program, a proven, systematic approach that helps agencies to address their top privileged access control goals—from eliminating irreversible network takeover attacks to securing SaaS admins and privileged business users.
To learn more about our work in protecting federal agencies from advanced threats and supporting compliance while establishing and maintaining strong privileged access security hygiene, please explore our federal industry resources for more detail.