Agencies received lower scores for not holding contractors responsible for privacy requirements.
The number of government agencies actively exercising measures to account for their contractors’ handling of sensitive federal information is significantly lower than the number meeting other performance criteria in the Federal Information Security Management Act, the government’s main cyber compliance law.
The White House released its annual FISMA report to Congress Wednesday touting, “agencies continue to make significant progress in meeting cybersecurity targets” and crediting “key investments by the Trump Administration” for what it described as federal agencies’ improved ability to defend against cyberattacks.
Overall, as highlighted in the White House press release, 72 agencies received a rating of “managing risk” in the annual cybersecurity risk management assessment process, “up from 62 agencies in FY 2018 and up from 33 agencies when the process started in FY 2017.”
Total cybersecurity funding amounted to almost $17 billion for 2019, according to the report.
Though agencies’ compliance scores generally improved over last year, the report shows agencies need to work on holding contractors responsible for privacy requirements and implementing appropriate access management policies.
The report stresses the importance of accountability. In the context of workforce and training measures, it notes: “Federal agencies' privacy programs are required to play a key role in workforce management activities and holding agency personnel accountable for complying with applicable privacy requirements and managing privacy risks. This includes developing, maintaining, and providing agency-wide privacy awareness and training programs for all employees and contractors.”
According to a 2017 report by researchers at New York University’s Wagner School of Public Service, 40% of the government’s workforce consists of contractors.
While 100% of agencies had established rules of behavior for handling federal information, and consequences for federal employees violating them, the White House reports only 58% of agencies had implemented and documented policies to ensure contractors with access to such information are adhering to the same rules and behavior.
Those numbers are for Chief Financial Officer Act agencies. The numbers for non-CFO agencies were generally not as good.
The report also notes measures the administration has taken to reform its identity, credential and access management processes.
“On May 21, 2019, OMB M-19-17 shifts agency ICAM strategies and solutions from the obsolete Levels of Assurance (LOA) model to a risk management methodology, enabling agency resource decisions to be aligned to agency mission priorities,” the report reads.
But only 63% of CFO agencies had implemented and documented measures to ensure “appropriate vetting and access control processes for contractors and others with access to information systems containing Federal information,” according to the report. Less than 40% of non-CFO agencies had done this.
The Government Accountability Office’s Vijay D’Souza, who directs IT and cybersecurity issues for the watchdog, told Nextgov, “Our reports have also shown agencies’ progress in their efforts to secure their networks but highlight remaining challenges.”
“We are planning to address these issues in our own in-depth review summarizing the state of federal cybersecurity early next year,” he said.