New Federal CIO Withholds InfoSec JudgmentTony Scott Awaits Results of 'CyberStat' Agency Reviews
After nearly 2Â½ months on the job, federal Chief Information Officer Tony Scott was reluctant to offer Congress a detailed assessment of the quality of agencies' information security until reviewing results of pending "CyberStat" reviews.
"Nine weeks in, it's a little difficult for me to give you a sort of comprehensive answer to that," Scott responded to a question from a lawmaker about his take on the state of the federal government's cybersecurity. "What I observed so far is that there is a range, and that range is dependent upon the agencies that we're talking about here."
Scott, named in February to the post statutorily known as administrator for electronic government and information technology, told the House Oversight and Government Reform Committee last week that OMB is conducting meetings with federal agencies to rate their implementation of IT security. As a result, he said he'll reserve judgment until those "CyberStat" sessions are completed.
In CyberStat sessions, cybersecurity experts from OMB, the Department of Homeland Security and the national security staff help agency IT security leaders develop actions plans to improve their information security posture.
"There is no agency, even the ones that we looked at so far, who we believe is doing a really good job, who would say, 'We're done' or 'we've done enough and, you know, it's the end of job,'" Scott said. "Everyone believes there's more that we can and should do."
Inconsistencies on Security Implementation
In his first appearance before Congress as federal CIO, Scott said third-party contractors and vendors have been inconsistent in implementing IT security protections, but blamed the government, in part, for that failure.
"Federal agencies did not have adequate contractual language, policy direction or awareness of best practices to guide how contractors and agencies should respond to intrusions and/or actual breaches," said Scott, who as federal CIO oversees implementation of the Federal Information Security Management Act, the law that governs federal government IT security.
GAO's Gregory Wilshusen on federal agencies managing contractors' IT security.
At last week's hearing, the Government Accountability Office's Gregory Wilshusen reminded lawmakers of the multitude of risks the government faces from cyber-attacks.
"Until agencies take actions to address these challenges, their systems and information will be at increased risk of compromise from cyber-based attacks and other threats," said Wilshusen, GAO's director of information security issues.
Citing an August 2014 GAO report, Wilshusen said five of six agencies his office reviewed were inconsistent in overseeing assessments of contractors' implementation of security controls. "Agencies had not documented IT security procedures for effectively overseeing contractor performance," he said.
Federal Government IT Security Incidents, FY 2006-2014
GAO analysis of U.S.-CERT data
These inconsistencies in overseeing assessments come at a time when reported cyber-incidents within the federal government have dramatically increased. In 2006, the U.S. Computer Emergency Readiness Team received 5,503 reports of cyber incidents. Last year, U.S. CERT received 67,168 such reports. In just the past year, a GAO analysis of U.S. CERT data shows, reported cyber-incidents rose by nearly 10 percent.
Federal Government IT Security Incidents, By Category
GAO analysis of U.S.-CERT data for fiscal year 2014
Weakness in Approach
"The danger posed by these threats is heightened by weaknesses in the federal government's approach to protecting federal systems and information, including personally identifiable information entrusted to the government by members of the public," Wilshusen said, noting that GAO and inspectors general have made myriad recommendations to improve federal government IT security. Implementing the recommendations, he said, will "reduce the risk of the potentially devastating impacts of cyber-attacks."
As the new federal CIO, Scott pledged to pursue programs to make federal government IT more secure, saying it's a top priority for the Obama administration.
"Having recently left a private sector CIO role, I can attest to the fact that having a strong cybersecurity program is critical to ensuring mission success," said Scott, who has served as CIO at VMware, Microsoft and The Walt Disney Company. "This is no different in the federal government," he said. "Given the evolving threat landscape, it is imperative that we do everything in our power to ensure the security of government information and networks. In this interconnected world, we have to ensure that agencies, third-party contractors and vendors, and the citizens we serve all are protected from these threats."