Federal Inspectors Want to Double-Check How Agencies Fared During ‘Cyber Sprint’
Ground-truthing is partly a way for IGs to maintain a role in information security oversight, now that DHS is in charge.
Internal watchdogs want to double-check that agencies have made as much progress practicing basic cyber hygiene as they told the White House in July.
The Obama administration in June launched a so-called 30-day cybersecurity sprint, commanding agencies to monitor computer logs, patch critical vulnerabilities and cut the number of "privileged" users with free rein over systems, among other things.
“Right now, the agencies and the agency chief information officers are self-reporting a lot of their work” to the Department of Homeland Security and the White House, said Peter Sheridan, assistant inspector general for IT at the Federal Reserve and the Consumer Protection Financial Bureau.
The verification is partly a way for agency inspectors to maintain a role in data integrity oversight. The 2014 Federal Information Security Modernization Act tasked DHS with supervising governmentwide cyber operations.
Taking a "collaborative approach," Sheridan said, the inspector general community asked: “Should the IGs now be coming in and validating the responses that the agencies provided” after the sprint?
"We've developed a very good working relationship with the folks at DHS," Sheridan said.
Many of the milestones in the cyber race were supposed to have been achieved under the 2002 Federal Information Security Act, or FISMA. Inspectors general annually gauge compliance with FISMA rules, including multistep logins. The IGs were in the process of doing so when the sprint began.
The 30-day exercise was prompted by the failure of the Office of Personnel Management to catch a network intrusion, in which hackers stole private details on 21.5 million current, former and prospective federal employees along with family members. Agencies reported their results to the administration in July.
The White House has said following the sprint, 97 percent of OPM computer users and more than 72 percent of users governmentwide now cannot get into agency systems without a smart card and password.
"There are intersections of areas that the FISMA evaluations cover that are also important to the cybersecurity sprint, such as privileged accounts and multifactor authentication," said Kathleen Tighe, chair of the Council of the Inspectors General on Integrity and Efficiency IT committee.
The White House Office of Management and Budget and the inspectors have agreed the watchdogs will perform normal FISMA audits and then OMB will compare those assessments with the sprint self-assessments, she said.
The FISMA audits are due to the White House around mid-November.
The White House will "touch base with IGs on a one-on-one basis to see if there's any kind of, say, discrepancies or just reporting issues that they would be interested in following up on," Tighe, who also serves as the Education Department IG, told Nextgov.
But the watchdogs will not stop there.
"I think the IGs will have a discussion once our FISMA work is done to see what other areas we might want to look at that might relate to the cyber sprint," she said. Already in the pipeline is a project related to the security of publicly accessible agency websites, she added.
(Image via MaximP/ Shutterstock.com)