Sprint leaders take a modest lap

The agencies behind two of the biggest cyber sprint success stories are pleased with their achievement.

But they’re not exactly gloating about them.

Spokespersons for the General Services Administration and the Office of Personnel Management offered positive comments on their agencies cyber sprint performances, but agency leadership demurred on interviews.

“[W]e’re excited,” OPM spokesman Sam Schumach said of his agency’s two-factor authentication implementation improvement.

In the wake of the massive OPM breaches that sparked the government-wide cybersecurity refocus in the first place, OPM shot from 42 percent two-factor authentication implementation to 97 percent in just a few months.

But the leader on the results sheet published by federal CIO Tony Scott’s office: GSA.

GSA started from a position of strength, with 99 percent of non-privileged users subject to two-factor authentication at the sprint’s start in April.

But none of GSA’s privileged users were under the same stricture, something GSA had almost completely turned around by the end of July. Privileged user two-factor authentication rocketed from 0 percent to 96 percent at GSA over the course of the sprint.

“GSA leadership has made good investments in cybersecurity and will continue to do so to safeguard our data assets,” said GSA spokeswoman Teressa Wykpisz-Lee. “In addition, we will continue to work very closely with [the Homeland Security Department], other agency partners, and the rest of the cybersecurity community to ensure we are doing all we can to protect these assets.”

“It is surprising – and pleasing – to see such significant progress,” said Paul Christman, VP of Federal at Dell Software, of the cyber sprint. “These results clearly show that agencies have the ability to successfully put the right security measures in place.”

He cautioned against labeling some agencies winners and others laggards, given the diversity of the agencies involved and their varying cybersecurity starting points.

He also noted that two-factor authentication isn’t the end-all, be-all.

“Two-factor authentication is an essential part of identity and access management (IAM) – but only one piece of the complex cybersecurity puzzle,” Christman said. The cyber sprint focused on HSPD-12 driven personal identification verification (PIV) card usage, but we cannot confuse this with complete access control.”

“Effective IAM governs data access and ensures not only that the right people have access to appropriate devices, but also the right information, at the right time,” he added. “The next steps need to go beyond IAM, using the initial efforts as a starting point for end-to-end security and utilizing other security elements outlined by the sprint.”

“Of course work isn’t done yet,” noted OPM’s Schumach, echoing the oft-repeated notion that cybersecurity is a marathon, not a sprint.

“GSA understands that additional and continued investments in cybersecurity will be needed as time goes on, and we are committed to adjusting our strategy to appropriately safeguard our data assets against ever-changing cybersecurity threats,” added Wykpisz-Lee.

Federal CIO Tony Scott, the man who ordered the sprint, has said he’s pleased with the results.

And for OPM, the agency at the center of it all, Scott said Aug. 11 that embattled CIO Donna Seymour should not follow her former boss, Katherine Archuleta, out the door.

“If you look at the pace of change they’re [Seymour and her IT team] driving at OPM and look closely, they’re doing a pretty darn good job,” Scott remarked.