recommended reading

Federal Cybersecurity Misses Targets in Annual Report


More government programs violated data security law standards in 2012 than in the previous year, the White House has informed Congress.

At the same time, computer security costs have increased by more than $1 billion, according to the executive branch’s yearly report  on compliance with the 2002 Federal Information Security Management Act.

Inadequate training was a large part of the reason all-around FISMA adherence scores slipped from 75 percent in 2011 to 74 percent in 2012. 

Agencies reported that about 88 percent of personnel with system access privileges received annual security awareness instruction, down from 99 percent in 2011. Meanwhile, personnel expenses accounted for the vast majority -- 90 percent -- of the $14.6 billion departments spent on information technology security in 2012. Agencies spent $1.3 billion less on IT security in 2011. 

Other factors that led to lower FISMA marks in 2012 the major departments are not using smartcards to restrict network access and are not automatically configuring system settings. About 57 percent of user accounts require tokens to log on, down from 66 percent in 2011. A decrease in smartcard usage at the Pentagon and significantly lower usage at the Agriculture Department contributed to the decline. 

The Defense Department also fell behind in automatically applying security configuration settings, dropping from 95 percent compliance in fiscal 2011 to 53 percent due to different reporting criteria this year.  

Defense, along with the Homeland Security and Treasury departments, spent the most money on IT security, with expenditures totaling $12 billion, $615.5 million and $404 million respectively. Those figures include the cost of cybersecurity specialists, tools, testing and training. 

The Obama administration’s report, which was released publicly this week, also stated that agencies reported experiencing about 49,000 computer security incidents during 2012. In 2011, Homeland Security, which oversees federal-level network protections, received 43,889 incident reports. 

At major departments, most episodes were the result of lost or stolen equipment and data, not unauthorized access. The missing hardware included laptops, mobile devices and smartcards.

The White House report singled out work by DHS to raise the cybersecurity bar.  The department, for example, is buying sensors, consulting services and risk-analysis displays for agencies that have not instituted “continuous monitoring” -- or live tracking of security protections.

Sen. Tom Carper, D-Del., chairman of the Senate Homeland Security and Governmental Affairs Committee and backer of FISMA reforms, applauded DHS’ reported progress.

“I am encouraged to learn about the Department of Homeland Security’s outstanding implementation and maintenance of its information security programs in this report,” he stated. “I commend DHS, the Office of Management and Budget, the National Institute of Standards and Technology, the National Security Council, and others for their ongoing efforts to help struggling federal agencies improve their information security management. While a number of agencies are clearly on the right path, more steps need to be taken to enhance the overall federal government’s information security management.”

Carper will continue to monitor the deficiencies raised in the report and work with congressional colleagues and the administration to make sure those problems are properly addressed, a committee aide told Nextgov.

(Image via fotoscool/

Threatwatch Alert

Thousands of cyber attacks occur each day

See the latest threats


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

  • PIV- I And Multifactor Authentication: The Best Defense for Federal Government Contractors

    This white paper explores NIST SP 800-171 and why compliance is critical to federal government contractors, especially those that work with the Department of Defense, as well as how leveraging PIV-I credentialing with multifactor authentication can be used as a defense against cyberattacks

  • Toward A More Innovative Government

    This research study aims to understand how state and local leaders regard their agency’s innovation efforts and what they are doing to overcome the challenges they face in successfully implementing these efforts.

  • From Volume to Value: UK’s NHS Digital Provides U.S. Healthcare Agencies A Roadmap For Value-Based Payment Models

    The U.S. healthcare industry is rapidly moving away from traditional fee-for-service models and towards value-based purchasing that reimburses physicians for quality of care in place of frequency of care.

  • GBC Flash Poll: Is Your Agency Safe?

    Federal leaders weigh in on the state of information security

  • Data-Centric Security vs. Database-Level Security

    Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.


When you download a report, your information may be shared with the underwriters of that document.