recommended reading

Federal Cybersecurity Misses Targets in Annual Report


More government programs violated data security law standards in 2012 than in the previous year, the White House has informed Congress.

At the same time, computer security costs have increased by more than $1 billion, according to the executive branch’s yearly report  on compliance with the 2002 Federal Information Security Management Act.

Inadequate training was a large part of the reason all-around FISMA adherence scores slipped from 75 percent in 2011 to 74 percent in 2012. 

Agencies reported that about 88 percent of personnel with system access privileges received annual security awareness instruction, down from 99 percent in 2011. Meanwhile, personnel expenses accounted for the vast majority -- 90 percent -- of the $14.6 billion departments spent on information technology security in 2012. Agencies spent $1.3 billion less on IT security in 2011. 

Other factors that led to lower FISMA marks in 2012 the major departments are not using smartcards to restrict network access and are not automatically configuring system settings. About 57 percent of user accounts require tokens to log on, down from 66 percent in 2011. A decrease in smartcard usage at the Pentagon and significantly lower usage at the Agriculture Department contributed to the decline. 

The Defense Department also fell behind in automatically applying security configuration settings, dropping from 95 percent compliance in fiscal 2011 to 53 percent due to different reporting criteria this year.  

Defense, along with the Homeland Security and Treasury departments, spent the most money on IT security, with expenditures totaling $12 billion, $615.5 million and $404 million respectively. Those figures include the cost of cybersecurity specialists, tools, testing and training. 

The Obama administration’s report, which was released publicly this week, also stated that agencies reported experiencing about 49,000 computer security incidents during 2012. In 2011, Homeland Security, which oversees federal-level network protections, received 43,889 incident reports. 

At major departments, most episodes were the result of lost or stolen equipment and data, not unauthorized access. The missing hardware included laptops, mobile devices and smartcards.

The White House report singled out work by DHS to raise the cybersecurity bar.  The department, for example, is buying sensors, consulting services and risk-analysis displays for agencies that have not instituted “continuous monitoring” -- or live tracking of security protections.

Sen. Tom Carper, D-Del., chairman of the Senate Homeland Security and Governmental Affairs Committee and backer of FISMA reforms, applauded DHS’ reported progress.

“I am encouraged to learn about the Department of Homeland Security’s outstanding implementation and maintenance of its information security programs in this report,” he stated. “I commend DHS, the Office of Management and Budget, the National Institute of Standards and Technology, the National Security Council, and others for their ongoing efforts to help struggling federal agencies improve their information security management. While a number of agencies are clearly on the right path, more steps need to be taken to enhance the overall federal government’s information security management.”

Carper will continue to monitor the deficiencies raised in the report and work with congressional colleagues and the administration to make sure those problems are properly addressed, a committee aide told Nextgov.

(Image via fotoscool/

Threatwatch Alert

Network intrusion / Software vulnerability

Hundreds of Thousands of Job Seekers' Information May Have Been Compromised by Hackers

See threatwatch report


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • It’s Time for the Federal Government to Embrace Wireless and Mobility

    The United States has turned a corner on the adoption of mobile phones, tablets and other smart devices, outpacing traditional desktop and laptop sales by a wide margin. This issue brief discusses the state of wireless and mobility in federal government and outlines why now is the time to embrace these technologies in government.

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

  • A New Security Architecture for Federal Networks

    Federal government networks are under constant attack, and the number of those attacks is increasing. This issue brief discusses today's threats and a new model for the future.

  • Going Agile:Revolutionizing Federal Digital Services Delivery

    Here’s one indication that times have changed: Harriet Tubman is going to be the next face of the twenty dollar bill. Another sign of change? The way in which the federal government arrived at that decision.

  • Software-Defined Networking

    So many demands are being placed on federal information technology networks, which must handle vast amounts of data, accommodate voice and video, and cope with a multitude of highly connected devices while keeping government information secure from cyber threats. This issue brief discusses the state of SDN in the federal government and the path forward.

  • The New IP: Moving Government Agencies Toward the Network of The Future

    Federal IT managers are looking to modernize legacy network infrastructures that are taxed by growing demands from mobile devices, video, vast amounts of data, and more. This issue brief discusses the federal government network landscape, as well as market, financial force drivers for network modernization.


When you download a report, your information may be shared with the underwriters of that document.