More fed security woes, more DHS bills and a wait-and-see approach to EAGLE II
News and notes from around the federal IT community.
Report: 47 agencies face possible login credential exposure
The OPM breach isn’t the only recent example of cybersecurity vulnerabilities in government. Employees at 47 agencies may have had their login credentials exposed, according to a report by Recorded Future.
As of early 2015, 12 of these agencies, including the Department of Homeland Security, allowed some users access to their computer networks with no form of two-factor authentication (ie, requiring both a password and a biometric identifier. The report found the Department of Energy most vulnerable to exposure on the web, with email/password combinations for nine different domains findable on the Internet. The Department of Commerce had exposures in seven domains, according to the report.
Recorded Future said all of the exposed government employee email/password combinations were found on sites like Pastebin. These websites let users share bits of code and they’ve become a “dumping ground” for stolen passwords.
Around half of Americans use the same passwords for various sites, including work. So if a third-party website’s database is hacked and a government employee uses the same password at work, those credentials could allow a hacker access to an agency system.
The report suggests agencies should increase the security of login credentials with VPNs and/or two-factor authentication.
Senate panel waits on Einstein
The Senate Homeland Security and Governmental Affairs Committee approved a handful of DHS-related measures June 24, but postponed action on a bill that would authorize the department’s Einstein cybersecurity program.
Chairman Ron Johnson (R-Wis.) and ranking Democrat Tom Carper of Delaware said the committee was working to come to consensus on legislation that would allow Congress to weigh in on the deployment of Einstein, which has taken on greater urgency in the wake of the breach at the Office of Personnel Management that exposed millions of current and former federal employees’ personal information.
“It is a critically important program given the seemingly never-ending cyberattacks on our federal government,” Carper said.
Among the bills the panel approved by voice vote was the Duplication Reduction Act, which would require the DHS CIO to conduct an internal census of IT systems, report on whether systems are duplicative, and come up with a strategy for reducing the number of such systems. The House passed its version of the bill by voice vote on June 23.
The committee also approved the nomination of Carol Ochoa to be inspector general at the General Services Administration.
GAO withholds judgment on DHS’s Eagle II
The Government Accountability Office said it's too early to tell whether DHS's efforts to open up its $22 billion Enterprise Acquisition Gateway for Leading-Edge Solutions II (EAGLE II) suite of strategically sourced information technology services contracts to small businesses have been successful.
A GAO report released June 24 said DHS had set up programs to create small business tracks within each of EAGLE II's three lines of business; to establish a process to maintain a steady pool of eligible small businesses by reopening the EAGLE II solicitation after requiring businesses that outgrow their small business status to leave the program; and to require small business track prime contractors to team only with other small businesses.
GAO said that, as of March 2015, DHS had issued 74 EAGLE II task orders worth an estimated $591 million, almost all of which went to small businesses. However, the study said, it is too soon to evaluate the full impact of these steps because only about 3 percent of the anticipated $22 billion in task orders have been issued.
GAO said it began the study because the small business community raised questions about strategic sourcing reducing contracting opportunities.
NEXT STORY: OPM contractors in the crosshairs