recommended reading

The Federal Government Is Finally Updating Y2K-era Cybersecurity Baselines

Olivier Le Moal/

The last time the federal government updated its IT strategy, the requirements dealt with protecting "dial-in access," bulletin boards, and passwords. That was in 2000.

The plan -- still in effect today and labeled Circular A-130 -- makes no mention of contractor security, encryption, multistep ID authentication, or patching security holes -- protections that could have lessened the blow of data breaches at the federal retirement Thrift Savings Plan, the military's TRICARE health program, Office of Personnel Management and a background check provider.

Now, after a push from Congress, the White House is upgrading its information management principles.

Proposed changes reflect an age where teenagers reportedly can reverse look up the CIA director's mobile phone number and use it to hack his personal webmail account.

The proposal, posted online Wednesday, also recognizes the existence of "insider threats." These are federal employees and contractors with legal access to U.S. secrets who can compromise as much intelligence, if not more, than outsiders. The 2000 plan was issued almost a decade before former soldier Chelsea Manning transferred military files to the anti-secrets website WikiLeaks.

In 2000, the big focus was on granting everyone access to as little digital information as possible. Then, the Sept. 11, 2001, terrorist attacks demonstrated a need for more information sharing.

Some of the draft minimum requirements in the rewrite are aimed at reducing "the potential for abuse of authorized privileges" and "the risk of malicious activity without collusion." In addition, agencies should "continuously monitor, log and audit" the network activities by "privileged users" with sweeping access "to detect misuse and to help reduce the risk from insider threats."

The rise of a system called the "World Wide Web" partly prompted the last A-130 refresh, according to the document. In addition,1995 amendments to the "Paperwork Reduction Act" required the White House provide agencies guidelines on conducting business electronically.

Fast forward to the age of daily data breaches, Congress last year passed an update to a 2002 federal cybersecurity legislation. The reforms mandated an A-130 rewrite.

Beyond addressing information security threats, the draft policy outlines pointers for managing IT investments and streamlining the process for acquiring new technology. The Obama administration will accept comments on the strategy for the next 30 days. A final plan is expected to be is released in December.

Minimum Agency Security Requirements Then and Now?

The Threat

  • 2000 - Security incidents, whether caused by viruses, hackers, or software bugs, are becoming more common.
  • 2015 -  Information is subject to threats that could potentially harm organizational operations, assets, individuals, or the nation. These risks include environmental disruptions, purposeful attacks, structural failures, human errors, among others.

Checking Safeguards

  • 2000 - Review the security controls in each system after a major upgrade, but at least every three years.
  • 2015 - Review common controls on a time- or event-driven basis.

Agency In Charge of Incident Handling

  • 2000 - Commerce Department coordinates agency incident response activities
  • 2015 - The Department of Homeland Security now exists and runs a governmentwide information security incident center

Contractor Restrictions

  • 2000 - Crickets.
  • 2015 - Agencies must have procedures for incidents affecting contractor systems, including timelines for breach notification. There must also be agreements for connections between contractor and government-owned systems. Agencies are also told to protect against the insertion of system components that are counterfeit or tainted, throughout a system's lifecycle.

Use of Outdated IT

  • 2000 - No guidelines.
  • 2015 - Prohibit the use of unsupported software and system components (When vendors are no longer providing critical software patches for system parts, it's easier for adversaries to exploit weaknesses discovered later on.) Implement and maintain current updates and patches for all software and firmware components of information systems


  • 2000 - Nothing to stop agencies from saving and transmitting people's Social Security numbers and passwords in plain text, ripe for interception.
  • 2015 - Encrypt all stored and in-transit information that would disrupt an agency's mission if breached, to the extent feasible.

Login IDs

  • 2000 - A password
  • 2015 - Provide employees and contractors with multifactor authentication and encryption features to protect personal information

(Image via Olivier Le Moal/

Threatwatch Alert

Thousands of cyber attacks occur each day

See the latest threats


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Modernizing IT for Mission Success

    Surveying Federal and Defense Leaders on Priorities and Challenges at the Tactical Edge

  • Communicating Innovation in Federal Government

    Federal Government spending on ‘obsolete technology’ continues to increase. Supporting the twin pillars of improved digital service delivery for citizens on the one hand, and the increasingly optimized and flexible working practices for federal employees on the other, are neither easy nor inexpensive tasks. This whitepaper explores how federal agencies can leverage the value of existing agency technology assets while offering IT leaders the ability to implement the kind of employee productivity, citizen service improvements and security demanded by federal oversight.

  • Effective Ransomware Response

    This whitepaper provides an overview and understanding of ransomware and how to successfully combat it.

  • Forecasting Cloud's Future

    Conversations with Federal, State, and Local Technology Leaders on Cloud-Driven Digital Transformation

  • IT Transformation Trends: Flash Storage as a Strategic IT Asset

    MIT Technology Review: Flash Storage As a Strategic IT Asset For the first time in decades, IT leaders now consider all-flash storage as a strategic IT asset. IT has become a new operating model that enables self-service with high performance, density and resiliency. It also offers the self-service agility of the public cloud combined with the security, performance, and cost-effectiveness of a private cloud. Download this MIT Technology Review paper to learn more about how all-flash storage is transforming the data center.


When you download a report, your information may be shared with the underwriters of that document.