By Jason Miller
March 2, 2007
The state of the governments cybersecurity position has improved over
the past year, but significant holes remain, especially in the areas of
categorizing the risk level of systems and training, according to the
Office of Management and Budget.
OMB found that more than 700 systems, including 397 managed by agencies,
had not been categorized as high, medium or low risk. Also, the
administration said more agency employees have received information
technology security training up 10 percent since last year but more
needs to be done.
In its fourth annual Federal Information Security Management Act report
sent to Congress March 1, OMB said it will rely on the Security Line of
Business effort to better train employees by using a standard program.
OMB named three shared-service centers for security training in
February: the Office of Personnel Management, the State Department and
the U.S. Agency for International Development, and the Defense
Overall, OMB found that agencies have certified and accredited 89
percent of the 10,595 federal systems. This is a 1 percent increase
since last year on more than 300 systems that departments identified.
State and the Homeland Security Department made the most progress, while
four agencies which the report does not name did not characterize the
risk of a significant number of systems, OMB said.
This suggests these agencies are not prioritizing their systems and
working to secure the systems presenting the highest-risk impact level,
nor do they know at what level to secure those systems not categorized,
the report states. OMB intends to follow up individually with these
The report also said agencies also made progress in testing their
security controls and contingency plans. OMB found that 88 percent of
all systems had their security controls tested, while 77 percent of them
had their contingency plans tested. This is up from 61 percent and 72
percent, respectively, last year.
DOD increased its system testing by more than 30 percent last year, OMB
Agencies also are paying more attention to systems managed by
contractors. OMB said 18 of 24 agencies said they either frequently,
mostly, or almost always have sustained oversight of contractor-run
Beyond securing their systems, agencies also recorded a large increase
in the number of security incidents reported to the U.S. Computer
Emergency Response Team (CERT).
Agencies reported 706 unauthorized accesses, up from 304 in 2005. OMB
credits most of the increase to the focus on reporting lost or stolen
computers and other hardware containing personal identifiable
Privileged or root system access accounted for 25 percent of
unauthorized access incidents, more than double that of non-privileged
access, the report states.
Meanwhile, denial-of-service attacks increased by six in 2006 to 37,
while incidents involving malicious code dropped to 1,465 from 1,806 in
The reason for this is probably two-fold no major virus outbreaks of
note in fiscal year 2006, and improvements in patching systems in a
timely manner prevent vulnerabilities from being exploited, the report
OMB did say that the number of incidents being investigated increased by
11 times. Officials credit the increased use of intensive analysis of
suspicious traffic under the Einstein program, run by CERT.
Over the next year, OMB will work with federal agencies to increase the
exchange of packet level information regarding incidents, which have
penetrated an agencys perimeter, the report states. Sharing this data
will enable more effective analysis of attacks targeting multiple
federal agencies, and may enable more timely responses to new threats.
Visit the InfoSec News Security Bookstore