The recent wave of data breaches suffered by the Federal government agencies highlighted the importance of cyber security for their systems. In the past, the federal government has operated with outdated IT infrastructure and architecture opening them to cyber-attacks. At the same time, the government is expected to spend $78.3 billion this year on IT, prompting calls for more efficient operations. “For decades the federal government has operated with poorly managed and outdated IT infrastructure,” committee members said in a statement. “Cyberattacks are a real threat to this country. Federal agencies must act now.”
The US government defined a set of indicators, the scorecards, to measure the level of implementation of four key provisions of the Federal Information Technology Acquisition Reform Act (FITARA), which was passed by Congress in December 2014. The purpose of the bill is to improve the acquisition and management of federal information technology assets by introducing reforms in the federal IT acquisition process. The expected result is a drastic cut down on spending on outdated legacy technology and a raise in security awareness.
What does FITARA mean for security?
The data centers that are not considered crucial potentially represents a source of problem because they may also store sensitive data, but it is likely that they are poorly maintained. They expand the attack surface of government infrastructure. The “Evaluation of DHS’ Information Security Program for Fiscal Year 2015” conducted on the department’s IT infrastructure by the US Government revealed that the US Department of Homeland Security is running dozens of unpatched and vulnerable databases.
The audit of the DHS Information Security found serious security issues in the government systems, including 136 systems that had expired “authorities to operate,” a circumstance that implies the stop of maintenance activities. The principal problem discovered by the inspectors is that a number of systems, despite being operative and under maintenance, have no up-to-date security patches, leaving them open to cyber-attacks.
Of the 136 systems, 17 contain information classified as “secret” or “top secret.” Taking a deeper look at the report on the DHS Information Security Program, one thing that stands out is that the Coast Guard runs 26 vulnerable databases, followed by FEMA with 25, Customs and Border Protection with 14, and the DHS’ headquarters with 11. Even with agencies getting unsatisfactory grades, the FITARA initiative is needed for its ability to stimulate a prompt response from the government agencies.
The state of FITARA compliance today
The latest FITARA report evaluates the level of implementation of the FITARA and ranks the agencies with scorecards. The scorecards are assigned after evaluating a number of factors, such as the presence of consolidated data centers, the cutting down on unnecessary spending, the increase in the power of existing Chief Information Officers (CIO) within federal agencies and the implementation of best practices for the project risk assessment.
The top 24 federal agencies were ranked on implementing the Federal IT Acquisition Reform Act (FITARA), but unfortunately, the results are disconcerting for all but two. The Government Accountability Office (GAO), under the House Oversight and Government Reform Committee, assigned scorecards to the above federal agencies by evaluating the mentioned areas within FITARA: data center consolidation, IT portfolio review savings, incremental development and risk assessment transparency.
Figure 1 – House Oversight and Government Reform
- David Powner, director of information technology management issues at the Government Accountability Office reported that the number of data centers belonging to the federal agencies has actually grown to 11,700, but only 275 of them are used intensively by the Government.
The evaluation of the grades for the first two areas is based on the ability of the agency to save money by achieving the data center consolidation and reviewing their IT portfolio. The grade for incremental development is calculated by measuring how many IT projects tied to major investments are successfully completed and delivered every six months. The risk assessment grade is assigned by analyzing the way agencies manage the risk of their major IT projects.
For every category except risk assessment, the majority of agencies received an F, meanwhile just three agencies earned more than one A in any category (The Nuclear Regulatory Commission, the Environmental Protection Agency and Commerce Department).
Of the 24 agencies FITARA covers, the majority received a D grade or lower overall, meanwhile no agency earned an A overall. At the top, the Department of Corrections and the General Services Administration both received a grade of B. At the bottom of the list, we find departments of Energy and Education and NASA, which received failing grades F.
It’s intriguing and surprising to see The Department of Homeland Security receive a C. The DHS is considered a strategic agency for the homeland security and such a grade is hardly acceptable when dealing with security of a nation. The State Department received a D grade. That’s the same department that in November 2014 took the unprecedented step of shutting down its entire unclassified email system in response to a major cyber-attack.
Three months after the incursion in the network of the U.S. State Department e-mail system, US specialists were still working to secure the systems.
“Three months after the State Department confirmed hackers breached its unclassified email system, the government still hasn’t been able to evict them from the department’s network, according to three people familiar with the investigation.” states the Wall Street Journal.
In March 2015 a controversy arose that embroiled the same department, when it became publicly known that the United States Secretary of State, Hillary Rodham Clinton, exclusively used her private email server for official email communications.
The Office of Personnel Management (OPM) received a D on the FITARA scorecard, an expected result considering the circumstance that caused the significant data breach that exposed the personal data of 21.5 million federal employees and others sensitive information. Security community accused the agency to have “left the barn door open” to the attackers by failing to apply the most basic of security measures.
The FITARA ranking isn’t intended to stigmatize worrying situations, but push agencies to use the information provided in the report card to improve its processes and bring a modicum of accountability. “I am so grateful to this committee for FITARA,” commented Transportation Department CIO Richard McKinney, whose agency received a D. The Federal CIO Tony Scott firmly believes that FITARA is an initiative to be seized so that agencies can improve the management of information technology across the federal government.
“FITARA presents a historic opportunity to reform the management of information technology across the federal government,” said Scott. “It’s important that we do not underestimate the work and the commitment required by agencies and the broader ecosystem to fully implement this law and the changes it represents in culture governance, IT processes, business processes, and quite frankly the way we do oversight. Simply replaying pages from the old playbook is the not the solution.”
Analyzing the scorecards obtained by the agencies shows the “data center consolidation” represents a serious issue for five of 24 agencies; their activities in fact were graded an F.