The latest federal agency cybersecurity risk assessment report reveals that 74 percent of agencies are at risk or high risk. Released in May of this year by the Office of Management and Budget (OMB) and the Department of Homeland Security (DHS), the report uses the following schema to categorize and define risk:
- High Risk: Key, fundamental cybersecurity policies, processes, and tools are either not in place or not deployed sufficiently.
- At Risk: Some essential policies, processes, and tools are in place to mitigate overall cybersecurity risk, but significant gaps remain.
- Managing Risk: The agency institutes required cybersecurity policies, procedures, and tools and actively manages their cybersecurity risks.
Lacking in Situational Awareness
The OMB, DHS and NSA (National Security Agency) found that federal agencies weren't able to identify the attack vector in 38 percent of security incidents.
In efforts to improve situational awareness across agencies, the Office of the Director of National Intelligence has created a Cyber Threat Framework to help standardize how agencies communicate about cyber threats.
This common language categorizes different stages of the threat lifecycle - including:
- Preparation - Reconnaissance or collecting information to help inform an attack
- Engagement - Initial contact with a target, vulnerability exploitation or malware delivery
- Presence - Establishing control, evading detection and establishing persistence
- Effect/Consequence - Denying target's access, extracting, altering or destroying data, etc.
According to the report, the framework aligns with the NIST framework functions and other NIST Special Publications. The Cybersecurity Threat Framework closely maps to the same steps in NIST SP 800-37, Risk Management Framework to Federal Information Systems.
MFA Progress, But Access Management Needs Work
Other findings from the risk assessment include the significant progress in enforcing the use of multi-factor authentication through the use of Personal Identity Verification (PIV) cards. Agencies have now enforced the use of this control among 93 percent of their privileged users, which the report defines as having access to sensitive agency and citizen data.
But when it comes to access management, agencies have not matured. The risk assessments found that identity, credential and access management (ICAM) processes need to improve by establishing attribute or role-based access controls for users.
A decentralized and fragmented IT landscape has led to ICAM problems, including too many different solutions and user directories that prevent agencies from getting a comprehensive view of their users and their access to government networks and sensitive government information.
Only 55 percent of agencies limit access based on user attributes and roles, while another 57 percent review and track administrative privileges.
Other notable findings from the report include:
- 27% of agencies have the ability to detect and investigate attempts to access large volumes of data
- 30% of agencies have predictable, enterprise-wide incident response processes in place
- 16% of agencies achieved the government-wide target for encrypting data at rest
Comprehensive Access Visibility & Control
One way to get that enterprise-wide view of who is on agency networks is by using a comprehensive access security solution that easily integrates into your existing directories and access management technology.
With Duo, you can:
- Verify user trust with adaptive, risk-based authentication via mobile app or Universal 2nd Factor (U2F)
- Get insight into every user and device that authenticates into your applications and networks through one centralized dashboard
- Identify between corporate-managed and user-owned devices
- Get the ability to customize policies and controls based on user, device and application attributes
- Enforce policies to limit user access to certain applications
Learn more about Duo’s platform.