Agencies lose ground on awareness training, while personnel costs sap the government’s $14.6 billion cyber budget.
More government programs violated data security law standards in 2012 than in the previous year, the White House has informed Congress.
At the same time, computer security costs have increased by more than $1 billion, according to the executive branch’s yearly report on compliance with the 2002 Federal Information Security Management Act.
Inadequate training was a large part of the reason all-around FISMA adherence scores slipped from 75 percent in 2011 to 74 percent in 2012.
Agencies reported that about 88 percent of personnel with system access privileges received annual security awareness instruction, down from 99 percent in 2011. Meanwhile, personnel expenses accounted for the vast majority -- 90 percent -- of the $14.6 billion departments spent on information technology security in 2012. Agencies spent $1.3 billion less on IT security in 2011.
Other factors that led to lower FISMA marks in 2012 the major departments are not using smartcards to restrict network access and are not automatically configuring system settings. About 57 percent of user accounts require tokens to log on, down from 66 percent in 2011. A decrease in smartcard usage at the Pentagon and significantly lower usage at the Agriculture Department contributed to the decline.
The Defense Department also fell behind in automatically applying security configuration settings, dropping from 95 percent compliance in fiscal 2011 to 53 percent due to different reporting criteria this year.
Defense, along with the Homeland Security and Treasury departments, spent the most money on IT security, with expenditures totaling $12 billion, $615.5 million and $404 million respectively. Those figures include the cost of cybersecurity specialists, tools, testing and training.
The Obama administration’s report, which was released publicly this week, also stated that agencies reported experiencing about 49,000 computer security incidents during 2012. In 2011, Homeland Security, which oversees federal-level network protections, received 43,889 incident reports.
At major departments, most episodes were the result of lost or stolen equipment and data, not unauthorized access. The missing hardware included laptops, mobile devices and smartcards.
The White House report singled out work by DHS to raise the cybersecurity bar. The department, for example, is buying sensors, consulting services and risk-analysis displays for agencies that have not instituted “continuous monitoring” -- or live tracking of security protections.
Sen. Tom Carper, D-Del., chairman of the Senate Homeland Security and Governmental Affairs Committee and backer of FISMA reforms, applauded DHS’ reported progress.
“I am encouraged to learn about the Department of Homeland Security’s outstanding implementation and maintenance of its information security programs in this report,” he stated. “I commend DHS, the Office of Management and Budget, the National Institute of Standards and Technology, the National Security Council, and others for their ongoing efforts to help struggling federal agencies improve their information security management. While a number of agencies are clearly on the right path, more steps need to be taken to enhance the overall federal government’s information security management.”
Carper will continue to monitor the deficiencies raised in the report and work with congressional colleagues and the administration to make sure those problems are properly addressed, a committee aide told Nextgov.