About 72 percent of computer users in the U.S. government now are restricted from accessing agency networks without a smart card, two months after revelations that a stolen password was used to expose secrets on millions of national security personnel.
Still, more than a quarter of users need only a code to access untold terabytes of sensitive federal data.
On Friday, the White House released the overdue progress report on agency cybersecurity improvements following the Office of Personnel Management hacks. The "30-Day Cybersecurity Sprint" commenced June 12, and a public assessment was initially expected July 20.
Along with the progress report, the Obama administration urged that lawmakers relieve across-the-board spending cuts, so agencies can further bolster network defenses.
"It is critical Congress lift the harmful spending cuts known as sequestration and provide agencies certainty in their budgets, to improve their planning, and their ability to forecast and acquire the necessary resources for addressing emerging cyberthreats," U.S. Chief Information Officer Tony Scott said in a blog post.
He blamed the “unsustainable state” of the federal government’s networks on "decades of underfunding and years of uncertainty in budgets" for IT operations.
Obama's fiscal 2016 budget request would increase cyber spending by 11 percent, bringing the total information security investment to $14 billion.
The cyber sprint’s instructions to agencies included immediately plugging years-old security holes, surveiling networks for newly identified threats and reducing the number of "privileged" users with wide access to data.
Another direction to accelerate the use of "multifactor authentication" with smart cards was actually first required by the White House in 2004. On Thursday, a Senate committee passed legislation that would mandate the use of smart cards and governmentwide Internet monitoring as a matter of law.
Absent from Friday's after-action rundown was the number of security holes and breaches agencies were told to find and deal with. So far, only OPM has reported a weakness, which it handled by taking offline a vulnerable background investigation system called e-QIP for roughly four weeks.
Scott said agencies are "reducing” the number of wide-access users and working with the Department of Homeland Security to scan their networks for vulnerabilities. Friday's report did not elaborate, but DHS Secretary Jeh Johnson earlier this month said about 45 percent of the federal workforce is protected by its network-monitoring tool called EINSTEIN.
There were 134,287 privileged user accounts across the government, according to a Federal Information Security Management Act compliance report published in February.
According to Friday’s report, more than half of the largest agencies – including the departments of Transportation, Veterans Affairs and Interior – now require multistep ID checks for 95 percent of high-access users.
The OPM hackers gained a foothold into an Interior data center shared by about 100 offices governmentwide, but evidently only snatched records from OPM.
Scott acknowledged that, even though the sprint is over, "a marathon" effort must be made to continuously tighten network security.
A long-term "Cybersecurity Sprint Strategy and Implementation Plan" will be issued in the coming months, he said.
“Cyberthreats cannot be eliminated entirely, but they can be managed much more effectively," Scott said.