f e d e r a l g o v e r n m e n t c y b e r s e c u r i t y s u r v e y 2012

7/31/2019 f e d e r a l g o v e r n m e n t c y b e r s e c u r i t y s u r v e y 2012

1/18

Next >>

IT savings or spending sh

NASAs new Web archite

OMB mandates portolio

State Department CIO ta

Table o contents >>

April2012

Plus

Hacktivists and cybercriminals pose the greatest threats to federal agencies,our Cybersecurity Survey shows. The feds are fighting back with continuous monitoring. >>

By Ed Moyle and Diana Kelley informationweek.com/government


2/18

3 Down To BusinessFederal efforts to cut IT costs dont go far

enough

QUICKTAKES

4 NASAs Web PlanSpace agencys new Web architecture will apply

open source, cloud computing, and commercial

technologies

6 Tech Portfolios Under ScrutinyGovernment-wide IT portfolio reviews are

aimed at rooting out duplication

8 Post-WikiLeaks SecurityState Department continues

to enhance security in order

to prevent data leaks

informationweek.com/government

CONTENTSTHE BUSINESS VALUE OF TECHNOLOGY April 2012 Issue 12

COVER STORY9 Threats Vs. ReadinessHacktivists and cybercriminals pose the

greatest threats to federal agencies, our

Cybersecurity Survey shows. The feds are

fighting back with continuous monitoring.

CONTACTS

18 Editorial and Business Contacts

MORE INFORMATIONWEEK GO

Meet Your Peers

Our 2012 Government IT Leadership Fo

event where senior IT leaders in gover

to discuss how theyre using technolog

Its May 3 at the Newseum in Washingt

informationweek.com/gov/2012forum

Whats Next In Cybersecurity

In this virtual event, experts will assess

cybersecurity in government. It happe

informationweek.com/gov/cyberevent

Cloud In Action

Find out how 10 federal agencies are m

planning to implementation of cloud c

informationweek.com/gogreen/121211gov

IN-DEPTH REPORTSMobile Gover

Agencies are w

ad hoc mobilit

coordinated p

improve delive

increase productivity, and reduce costs

informationweek.com/reports/mobilegov

Federal Belt-Tightening Slows Comp

The salary freeze instituted by Presiden2010 has slowed the growth of IT work

informationweek.com/reports/belt

Previous Next


3/18

Federal CIO Steven VanRoekel maintains

that over the past three years, the federal gov-

ernment has done much in adopting private

sector practices to triage broken IT invest-

ments, reduce the IT infrastructure footprint,

and innovate with less. But by his own ac-

count, it hasnt done enough.

So a few weeks ago, VanRoekel and Office of

Management and Budget acting director Jeff

Zients introduced PortfolioStat (see story, p. 6),

a series of annual data-based reviews of

agency IT investments (more sweeping than

the existing TechStat program), as well as anew requirement for fed agencies to develop

consolidation plans for commodity IT services.

All goodas long as these measures actually

produce meaningful spending cuts rather

than just shuffle federal IT dollars around.

In a memo announcing the two initiatives,

VanRoekel called out the Department of the In-

terior, which he says will realize $100 million in

annual savings (on an IT budget of about $1 bil-

lion) from 2016 to 2020 by modernizing IT in-frastructure and aligning resources to improve

customer service. Furthermore, he estimated

that IT spending reviews already carried out at

Interior have rendered $11 million in cost

avoidance and $2.2 million in redirection.

The fact that Interiors fiscal 2013 IT budget

is pegged to decline by $28.6 millionby

2.9%compared with the previous years

budget is a positive sign. But lets see if the

agencys annual IT budget falls by anywhere

near $100 million between 2016 and 2020.

VanRoekel is quick to note that fiscal discipline

is returning to federal IT. After growing at a com-

pound annual growth rate of more than 7% be-

tween 2001 and 2009lean years for privatesector IT organizationsfed IT spending has

come in flat ever since. Still, at about $80 billion,

the federal IT budget could use a haircut. Instead,

for every IT dollar budgeted to be cut next year

at the likes of Interior (down $28.6 million) and

Justice (down $102 million), an additional dollar

will be spent at the likes of Agriculture (up $79.9

million) and Treasury (up $358.7 million).

For all their talk about adopting private sector

practices, few in Washington have the stomachor will to make the kinds of hard decisions that

companies make all the timethe kinds that

cut budgets rather than just

panding. Agency CIOs are a

from the politicians and car

Consider the federal bud

few weeks ago. As part of his

cuts proposed by Wisconsin

Ryan, President Barack Oba

already eliminated dozen

werent working. But accor

Journaleditorial, the savin

nations amount to less tha

get, or less than $100 millio

publicans were penny-pincadministration. Far from it

George W. Bushs eight yea

doubled to more than $10

VanRoekel and his prede

dra, have done well to id

cost avoidance and red

of the TechStat program.

billions and more from fu

well be more impressed.

Rob Preston is VP and editor in chief

can write to Rob atrpreston@techw

Federal IT Savings, Or Old-Fashioned Spending Shuffle?


Previous Next

RegisterRegister

Next StepsIn Cybersecurity

In this virtual event, experts will

assess the state of cybersecurityin government and present

strategies for creating a

more secure IT infrastructure.It happens May 24.

Table of Contents

ROB

Business

down to
http://prevpage/http://prevpage/


4/18

NASA plans to build a new Web architecture

that applies cloud computing, open source,

and commercial technologies in support of its

websites and internal Web services.

The architecture is the flagship initiative of

the space agencys newly updated open gov-

ernment plan. NASA and other federal agen-

cies have updated their open government ef-

forts in keeping with version 2.0 of the

Obama administrations Open Government

Initiative, originally launched in 2009.The agencys existing Web infrastructure sup-

ports the development and hosting of 140 ap-

plications and 1,590 websites, deployed on a

variety of systems. Its primary site, NASA.gov,

draws 600,000 visitors daily and serves as a

hub for more than 250 accounts on social

media platforms such as Twitter, Facebook,

and Foursquare.

The open government plan calls for a single

infrastructure to support those apps and a ma-

jority of the websites. The agency is looking to

use open source, cloud computing, commer-

cial products, and government off-the-shelf

technology in lieu of customized technologies.

And it plans to make increased use of fast, iter-

ative software development methodologieslike agile development.

This effort will provide a new agency-wide

capability to create, maintain, and manage the

NASA.gov Web environment and associated

services, which represent what open govern-

ment at its best can and sho

gram manager Nick Skytlan

duction to the open govern

Liberating Data

The strat egy inclu des m

data publicly available th

Data.NASA.gov and the fed

The agency plans to release

the next two years, repres

NASAs internal work as poquire publishing APIs and fu

to liberate data and conte

NASA will also expand its

capabilities. It plans to im

repository with social feat


OPEN GOVERNMENT 2.0

NASA Web Plan Incorporates Cloud, Open Source, Social Media

QuicktakesPrevious Next

Table of Contents

IT Leadership ForumInformationWeeks 2012

Government IT LeadershipForum is May 3 at the

Newseum in Washington, D.C.

RegisterRegister

NASA.gov gets 140MQUICKFACT


5/18

tion, increase the number of challenges it runs to

engage the public in projects, and host events that

let users of Facebook, Twitter, and other platforms in-

teract with agency personnel.

The agency will launch a pilot program to test the

feasibility of using an open source content manage-

ment system as a replacement for the proprietary sys-

tem in place. If that goes well, it will consolidate mul-

tiple blogging infrastructures to the new content

management system within a year. Another near-

term objective is to develop an API for releasing con-

tent on NASA.gov. Within two years, NASA wants to

move its websites to the new Web infrastructure.

Making use of open source was a flagship initiative

in NASAs original open government plan, and its

now looking to collaborate more actively with theopen source development community. NASA already

has an open source code repository, Code.NASA.gov.

Its open government site is built on the LAMP

(Linux, Apache, MySQL, PHP) software stack and an

open source content management system.

Also, the agency is looking to expand use of tech-

nology accelerators, initiatives such as public-pri-

vate partnerships and innovation mentoring. The

agency points to its International Space Apps Chal-

lenge and Random Hacks of Kindness volunteer de-

velopment program as examples of such efforts.

J. Nicholas Hoover([email protected])



Table of Contents

Discover IT

LAS VEGAS, MANDALAY BAY // MAY 610, 2012

* 25% off discount applies to Flex and Conference Passes. Discount calculated based on the on-siteprice an d not com binable with other offers. O ffer good on new re gistrati ons only. Pr oof of IT industryinvolveme nt requir ed. Pri ces after discount applied: Flex: $2 ,471.25 // Conferenc e: $1,7 21.25

Be our Guest: Free Expo Pass Extras to ITs

CLOUD COMPUTING | VIRTUALIZATION | SECURITY | MOBILITY | DATA C

WORKSHOPS: May 67, 2012 CONFERENCE: May 810, 2012 EX

See all the latest IT solutions from 350+ technology companies. Enjoy vendor-hosted beverages during the Booth Crawl while you

check out the latest products and services in the Expo.

Attend 50+ free sessions and special events covering the full rangeof IT innovations.

Hear keynotes from top minds at leading companies discuss thefuture of IT.

Tour the event network, built by volunteers and hand selected vendorsusing the industrys most cutting edge technology. Attend free classes

led by InteropNet engineers.

Meet cloud computing and virtualization vendors in a special area. Become an IT Hero. Interop gives you the most important technologies

and essential strategies to drive business value from your IT organization.

Get

www.

EXHIBITORS INCLUDE:

ATT

TO


6/18

White House efforts to wring savings from

federal IT investments have received another

push, this time in the form of a new plan to

conduct government-wide IT portfolio re-

views, along with new requirements for cen-

tralizing IT services.

Jeff Zients, acting director of the Office of Man-

agement and Budget, and federal CIO Steven

VanRoekel on March 30 announced two initia-

tives: one called PortfolioStat, a series of face-to-

face, data-based reviews of agency IT portfolios,

and another requiring agencies to develop con-solidation plans for commodity IT services.

Their memo implored agencies to focus on

high-value IT investments and stop deploy-

ing redundant IT services. The stove-piped

and complex nature of the federal enterprise

has led over the years to a proliferation of du-

plicative and low-priority investments in in-

formation technology, they wrote. At the

same time, agencies too often seek to de-

velop homegrown, proprietary solutions first,

before assessing existing options for shared

services or components.

PortfolioStat was inspired by private-sector

practices as well as by OMBs TechStat pro-

gram, launched in January 2010 by former

federal CIO Vivek Kundra. In the early going,

TechStat was used to identify big-budget IT

projects that were at risk of running over

budget or falling behind schedule, which in

turn led to corrective action. TechStat project

reviews are now applied more broadly within

agencies. The Obama administration says that

TechStat has generated som

ings and cost avoidance s

The Dark Corners

Businesses have used IT

ment for years, and OMB lo

Restaurants, and Symant

plans for PortfolioStat. Va

post, writes that PortfolioS

the maturity of agencies IT

ment processes and give t

into the darkest corners of tfind wasteful and duplicativ

As part of the PortfolioSt

deputy secretaries or chief

are required to work with t

agency CIOs, CFOs, and ch

cers to sift through and find

portfolios. This level of exe

is a direct reflection of ou

strategic asset that can dra

productivity and the way

their mission, VanRoekel w

PortfolioStat sessions w


THE SHARED-SERVICES ALTERNATIVE

White House Seeks To Root Out IT Duplication With Portfolio R


Table of Contents

PortfolioStats 5-Step Process

>> PHASE 1 Provide high-level survey ofagencies IT portfolios.

>> PHASE 2 Develop action plan; consolidateduplicative systems and contracts.

>> PHASE 3 Conduct PortfolioStat review;identify next steps.

>> PHASE 4 Document cost savings,improvements gained through review.

>> PHASE 5 Share lessons learned for

continuous process improvement.


7/18

modity IT investments, redundant or duplicative

systems and services, and investments that are

poorly aligned to an agencys mission. OMB out-

lined a five-step process for the program, beginning

with baseline data gathering and concluding with

an assessment of lessons learned. The document

describing those processes provides deadlines for

specific objectives to be completed over the next

10 months.

In the early going, agencies must complete a survey

of their IT portfolios and a bureau-level information

request for specific types of commodity IT invest-

ments that will used in assessing the portfolios. That

review will be followed by one-hour PortfolioStat re-

view sessions, the first of which must be held by the

end of July. Those sessions are supposed to lead toconcrete next steps to rationalize an agencys IT

portfolio, according to the memo.

Agencies are required to create consolidation plans

for the commodity IT services they use, with final

plans by the end of August. PortfolioStat leaders are

to set targets for reducing spending on commodity

IT and demonstrate how IT portfolios align with

agency missions and business functions. By years

end, agencies are expected to transition two com-

modity IT areas, such as email, wireless services, or

productivity tools, to shared services or consolidated

purchasing. J. Nicholas Hoover([email protected])


Previous Next

Table of Contents

Quicktakes

Without Building Your Identity Infrastructure o

Connect to the Cloud

Find out more at www.RadiantLogic.com1.877.727.6442

RadiantOne: One Identity Service for Al

If you were starting from scratch, hosting your identity in the cloud would be a company has many dierent authentication sources, including multiple Activ

and orests. For most enterprises, pushing this disparate inrastructure to

security and synchronization nightmare. Instead of uprooting your existing

need a simple, secure way to make it work with cloud-based applications. Radi

ederates your identity and delivers it as an on-premise service, giving you a

all your applications, whether theyre enterprise, web, or cloud-based. So yo

can authenticate users against the authoritative sources within your org

essential identity data doesnt walk the tightrope across your frewall every t

user accounts. Dont disrupt your infrastructureevolve your identity to encom

CopyRight 2012, Radiant LogiC, inC. aLL Rights ReseRved.


8/18

Eighteen months after its diplomatic cables

were exposed in the WikiLeaks breach, the

State Department continues to lock down its

confidential information, while using social

media to further its work in other ways.

State Department CIO Susan Swart, in an

interview with InformationWeekat the

agencys Washington, D.C., headquarters,

outlined steps under way to prevent any fur-ther data leaks. The State Department has

continued to enhance the security of our

classified data and systems post-WikiLeaks,

she said, adding that the department is play-

ing a lead role in the interagency response

to WikiLeaks that was launched last year by

presidential order.

The agency is deploying new security tech-

nology, including auditing and monitoring

tools on its classified networks and systems.

State has also begun tagging information with

metadata to enable role-based access to those

who need it, and is planning to implement

public key infrastructure on its classified sys-

tems by the summer of 2014.

Following the November 2010 WikiLeaks

breach, the State Department suspended

outside access to several of its classified in-

formation portals. Those por talsincluding

the Net Centric Diplomacy diplomatic report-

ing database, ClassNet classified websites,

and some SharePoint sitesremain largely

inaccessible or subject to restricted access

from other networks.

The agency has also improved its cybersecu-

rity training, and its working closely with the

Department of Homeland Security and the Na-tional Security Agency on cybersecurity issues.

Other Priorities

The departments other technology priorities

include IT consolidation, mobility, social media,

cloud computing, and improved IT gover-

nance, Swart said. The agency is also analyzing

the tech tools that are available to diplomats

and what more may be needed. Any additions

will have to be carried out within the context

of a lower IT budget. The White Houses pro-

posed budget for fiscal 2013 would decrease

IT spen

Department by 4.8%, to $1

One high priority is to con

affairs community onto a

known as the Foreign Affair

other federal agencies, the

consolidating data centers.

its going from 14 data cen

classified processing from

being done in a handful of

Under its eDiplomacy in

Department is ramping u

media and the Internet for

erations. The agency curr

ployees dedicated to the eusing the Web and other

tions technologies to furth

relations efforts.

Examples of the eDiplom

way include the departm

public social networks, exte

Note, an internal bloggin

known as Communities @

based collaborative ency

matic affairs called Diplope

on Wikipedia.

J. Nicholas Hoover


SECURITY FIRST

State CIO Outlines

Post-WikiLeaks Steps

Quicktakes

Swart: Stahas enhan[

Previous Next

Table of Contents


9/18

Threats Vs. ReadineHacktivists and cybercriminals pose the greatest threats to federal

agencies. The feds are fighting back with continuous monitoring.

ybersecurity is the No. 1 priority of federal IT profes

shot. Thats been the key finding of InformationWe

ernment IT Priorities Survey each of the past two ye

have to look any further than the threats posed

LulzSec, or WikiLeaks to understand why.

What are the most dangerous cyberthreats? And ho

sponding? InformationWeek launched our 2012 Fed

Cybersecurity Survey to find out. Our poll of 106 f

volved in IT security for their organizations was condu

Table of Contents

Previous Next


F E D E R A L G O V E R N M E N T C Y B E R S E C U R I T Y S U R V E Y

CBy Ed Moyle

and Diana Kelley


10/18

asked respondents to rank the threats they face

and their readiness to deal with them. We in-

quired about cybersecurity spending and

where agencies are investing. And we probed

into the most significant challenges they face.

Our survey results show that organized cy-

bercriminals and hacktivists are viewed as the

greatest threats to IT security. At the same

time, government IT pros say theyre least pre-

pared for leaks that take place through social

media. And a crush of competing priorities is

the biggest challenge to effective execution.

The good news is that agencies feel theyve

made significant improvements in cybersecu-

rity. This is the perception of agencies them-

selves, as well as the assessment of govern-

ment evaluators charged with monitoringprogress under the Federal Information Sys-

tems Management Act (FISMA).

Despite the progress, attacks are on the rise,

and agencies must continue to bolster their

defenses. In a report to Congress published in

March on FISMA implementation in fiscal year

2011, the Office of Management and Budget

(OMB) disclosed that the number of computer

security incidents reported to the U.S. Com-

puter Emergency Readiness Team (US-CERT)

that impacted governmen

to 43,889. Longer term, fe

curity incidents have ris

years, according to a repo

by the Government Acco

CYBERSECURITY SURV

Table of Contents


Which of these IT security and cybersecurity initiatives are most important to your agency?

Top Security Initiatives

Implementing continuous monitoring systems

Upgrading standard defenses (e.g., firewalls and antivirus)

Improving security of agency-issued mobile devices

Deploying intrusion-prevention capabilities

Implementing technologies and processes to thwart insider threats

Deploying PKI-based ID smart cards

Hiring and cultivating cybersecurity skills

Data: InformationWeek 2012 Federal Government Cybersecurity Survey of 106 federal government technology profe

35%

27%

25%

23%

18%

Previous Next

Get This AndAll Our Reports

Our full report on federal

cybersecurity is free withregistration. This report includes

26 pages of action-oriented

analysis, packed with 15 charts.

What youll find:

> The top cybersecurity prioritiesof federal agencies

> How FISMA compliance affects

cybersecurity planning

DownloadDownload



11/18

explaining that increase, the GAO cited persistent

weaknesses in information security controls, due to

incomplete implementation of security programs.

So clearly, theres room for improvement in how

agencies prepare and respond. Step one is raising

awareness of cyberthreats and establishing an organi-

zational commitment to readiness. Its imperative thatan agencys top leadersnot just chief information se-

curity officers and their information assurance teams

get behind the effort. Steps to improve security include

meeting the FISMA requirements and also under-

standing the security implications of new technologies

such as virtualization and cloud computing.

Underscoring the urgency of cybersecurity, the White

House and Congress are both involved in national

planning. President Barack Obama called cyberthreats

one of the most serious economic and national secu-rity challenges we face as a nation, and there are two

security bills moving through Congress, the bipartisan

Cybersecurity Act of 2012 (S. 2105) and the GOP-spon-

sored Secure IT Act of 2012 (S. 2151).

A majority of federal IT pros feel theyre up to the

task. When asked about their overall state of cyberse-

curity readiness, 83% of survey respondents rate their

agencies as excellent or good.

But are they being overly confident, which could be

dangerous? According to OMBs report to Congress for

FY 2011 on FISMA policy compliance in several broad

areas, including continuous monitoring, trusted Inter-

[COVER STORY]CYBERSECURITY SURVEY

Table of Contents


Previous Next


Technology Solutions for Demanding E

PacStar, in partnership with networking leader Brocade, oers military an

customers robust information and communications solutions for todays

applications. Our certied engineers have the experience and sk ills requ

security, LAN switching/routing, voice integration, and wireless solutions

needs of today and tomorrow. We help agencies achieve their missions w

solutions based on proven technologies for use in the most demanding

For more information contact:Josh Furrer, Director of Sales

(503)403-3000 ext. 214

[email protected]


12/18

net connections, and implementation of iden-

tity smart cards under Homeland Security Pres-

idential Directive 12 (HSPD-12), agencies were

73% compliant in the areas measured, com-

pared with 55% in FY 2010. Thats progress, but

with room for improvement. The other side of

the story is 27% noncompliance.To cl ose the gap, a gencies are asking for

more funding for their cybersecurity initia-

tives. The Department of Homeland Security

requested $769 million for security initiatives

in its FY 2013 budget, a 60% increase over the

previous fiscal year. DHS seeks to establish

broader capabilities in network security, ex-

pand research and development, and add

support for enforcement of cybercrimes,

among other areas of investment.Our survey sheds light on spending plans

more broadly. A quarter of respondents say that

their agencies will increase cybersecurity spend-

ing by more than 5% in FY 2013, and another

29% indicate spending will rise by up to 5%.

On the other hand, cy-

bersecurity spending is

expected to be flat at

29% of agencies and de-crease at 9%, and thats

cause for concern. (Eight

percent didnt know or

declined to answer.) We understand that overall

IT budgets are flat or declining in many agen-

cies, putting pressure on all areas of investment.

But IT decision-makers must find ways to ade-

quately fund cybersecurity infrastructure, given

the trend toward continuous monitoring, the re-

quirements of FISMA, and the fact that cyberse-curity is the No. 1 IT priority across government.

FISMA Compliance

When it comes to what influences cyberse-

curity planning in agencies, FISMA is king. In

our survey, FISMA ranks a

cant influencing factor for

egy, just ahead of the cont

requirement and US-CERT,

curity incidents and the Ein

tection system.

As any information securtell you, FISMA hasnt been

critics argue it isnt making

cure. Youre drawing aw

whats important by tak

were focused on real secur

ing them instead on chec

Dave Amsler, president

ground Security.

The government has red

bureaucratic burden throuprocess for automating FIS

than 75% of the agencies r

fice of Management and

port can now provide aut

to CyberScope, compared

CYBERSECURITY SURV

Table of Contents


Previous Next

NISTs Ross: Continuous

monitoring aims to reduce risk[



13/18

demonstrated this capability a year earlier.

Even so, FISMA compliance fell for more than half of

24 agencies reviewed in the report, which assesses IT

security programs in 11 areas, including risk manage-

ment, configuration management, and identity and

access management. Only seven agencies achieved

more than 90% compliance in the areas measured.Eight agencies fell into the red zone in the report,

meaning they have less than 65% FISMA compliance.

The departments of Transportation, Interior, and Agri-

culture were at the bottom of the list. The Depart-

ment of Defense didnt provide enough detail on its

compliance levels to be included in the report.

Much work remains in satisfying the White Houses

cybersecurity priorities. As outlined in OMBs FISMA re-

port, the administrations top three priorities for FISMA

are continuous monitoring, logical access control (asspelled out in HSPD-12), and trusted Internet connec-

tions (TIC v2.0). The priority areas were selected based

on the overall impact they have on cybersecurity readi-

ness. Heres how plans to implement those three initia-

tives are shaping up, as reflected in our survey results.

Continuous Monitoring

Continuous monitoring is getting the lions share of

attention from agencies. The goal is to replace a

static, point in time view of an agencys information

security posture with near-real-time visibility into sys-

tem health. Its important not just because its re-

[COVER STORY]CYBERSECURITY SURVEY

Table of Contents


Previous Next



14/18

quired under FISMA, but because it makes

good operational sense.

Continuous monitoring gets rated as the

top cybersecurity initiative in our survey, with

43% of respondents choosing it from a list of

10 possibilities. (Respondents were asked to

select their three most important initiatives.)That was followed by improvements to stan-

dard defenses (e.g., information security soft-

ware like firewalls and antivirus), identified by

41%, and mobile device security, at 35%.

This tells us that, while federal IT pros recog-

nize the importance of traditional security

controls and defenses, they also understand

they likely need to improve continuous moni-

toring. Continuous monitoring is largely about

managing risk, says Ron Ross, senior computer

scientist with the National Institute of Stan-

dards and Technology (NIST) and project

leader for the FISMA Implementation Project.

We start by looking at the risk assessment,based on what adversaries are doing that

might be a threat and impact the mission,

Ross says. The goal of continuous monitoring

is to attempt to evaluate the actual perform-

ance of the controls at reducing overall risk.

So agencies must understand the risks posed

to their systems and networks, and the moni-

toring plans they put in pla

on those risks and reduce t

sey, senior information sec

NIST and author of special p

Information Security Cont

For Federal Information Sy

zations, says that getting twrong can undermine con

efforts. Everything starts

agement framework, Dem

isnt right, everything that

be at issue. A good conti

framework will lead you to

ate control selection, and t

you to look for ways to mo

Whats good monitoring

standing a few things abcontrol: whether its functi

appropriate to the task at h

environment within whic

ates. For example, the p

federal law enforcemen

agencies have become f

Anonymous and LulzSec.

That leads IT to focus on

collect and not just what i

cies will look to automate

they shouldnt ignore that

formation might only be a

CYBERSECURITY SURV

Table of Contents


Previous Next

10%

25%7%

58%

Whats Your Agencys Overall Cybersecurity Readiness?

Data: InformationWeek2012 Federal Government Cybersecurity Survey of 106 federal government technology professionals, March 2012

Excellent; appropriate systems,processes, and policies in place

Poor; necessary systems, processes,or policies are lacking

Dont know or decline to say

Good; some systems, processes,

or policies need updating


15/18

manual collection process. Automated met-

rics may be more cost effective, but those

alone could leave you with an incomplete pic-

ture of the environment.

Pete Lindstrom, research director of Spire Se-

curity, warns about becoming slowed by data

overload. A jumble of arbitrary data without aframe of reference isnt monitoring; its white

noise, he says. A valuable metric is one that

tells us something about effectiveness of the

control, efficiency of operation, or both.

Continuous monitoring needs to be more

than just a distillation of what youre currently

collecting. Dave Shackleford, CTO of security

research firm IANS, recommends comprehen-

sive whitelisting (granting privileges to

trusted users or sites) and file integrity moni-

toring (keeping a close eye on changes to

server files). Monitoring things like antivirus

and host-based IDS has some merit but hasproven ineffective in countering the more ad-

vanced threats seen today, Shackleford says.

HSPD-12: Tackling Identity Management

Recognizing that a single, trusted source

of user identity information is critical to in-

formation security, HSP

bring a unified identity m

egy to federal governmen

quires that all agencies m

robust credential: a Perso

cation (PIV) smart card

used for digital signaturetication. In our survey, 23

identify deployment of P

cards as one of their top t

initiatives.

Th e spec if ics of th e p

cards are outlined in a W

issued in February, titled

mentation of HSPD-12

mon Identification Standa

ployees And Contractorsshould at least have a pl

ceed, particularly as it rela

tion of physical and logica

tems, a key tenet of th

identity management pla

According to the Offic

and Budgets FISMA repo

employees and contract

sonal Identity Verificatio

have them. Moreover, 66

user accounts are configu

cards to authenticate to a

CYBERSECURITY SURV

Table of Contents


Previous Next


4%4%

6%

8%

31%

2%

10%

35%

Whats The Most Significant Challenge To IT Security At Your Agency?

Data: InformationWeek 2012 Federal Government Cybersecurity Survey of 106 federal government technology professionals, March 2012

Competing priorities and other initiatives

Lack of clear standards

Lack of top-level direction and leadership

Reliance on vendors for aspects of securityLack of technical solutions

Other

Complexity of the internal environment

Resource constraints


16/18

up from 55% in fiscal year 2010. Its progress,

but the jobs not done.

Trusted Internet Connections

The third of the White Houses cybersecurity

priorities is consolidating traffic under the

trusted Internet connections initiative, whichaims to consolidate and apply baseline security

measures to external network connections, in-

cluding the Internet. Such controls include net-

work filtering and other capabilities, such as

the National Cybersecurity Protection Systems

Einstein 2 incident monitoring. That capability

is being updated in Einstein 3, which adds real-

time packet inspection and applies predefined

signatures for threat detection.

TIC should be on every agencys radar at leastuntil September, the next critical milestone. By

then, all TIC Access Providersdesignated

agencies that provide TIC services to other

agenciesmust be 100% compliant with the

TIC v2.0 reference architecture. Other agencies

must achieve TIC v2.0 capabilities by that same

date through use of an approved and accred-

ited TICAP for all external connections.

Not Ready For Social And Mobile

InformationWeeks 2012 Federal Govern-

ment Cybersecurity Survey shows that agen-

cies are least prepared for some of the newest

threats. When asked to rate their level of readi-

ness, respondents give some of their lowest

scores to leaks through social media (with

28% completely or somewhat unprepared)

and unsecured mobile devices (18% com-

pletely or somewhat unprepared).

Federal IT managers are racing to get

ahead of those risks. The

ample, recently warned

that geotagging photos o

other social media coul

units location. And the

Agency, the Departmen

civilian agencies are eva

cure mobile devices, as

CYBERSECURITY SURV

Table of Contents


Previous Next

Whats your agencys level of preparedness for these attacks?

Ready For Attack

Malware and spyware

Phishing attacks on agency employees

DDoS

Cyberattack by foreign governments

Zero-day exploits

Leaks through service providers or partners

Insider threats

Unsecured mobile devices

Leaks through social media

Data: InformationWeek2012 Federal Government Cybersecurity Survey of 106 federal government technology prof

4.0

3.9

3.9

3.7

3.7

3.5

3.4

3.2

1 Completely unprepared



17/18

look to use them in their daily work.

We also asked respondents to rank threats,

from greatest to lowest. Topping the list are

organized cybercriminals and hacktivists, a re-

flection of the emergence of groups such as

Anonymous and LulzSec, which have

launched denial-of-service attacks againstsome federal agencies. Insider threats rank

second, followed by foreign states.

Gen. Keith Alexander, director of the Na-

tional Security Agency and head of the U.S.

Cyber Command, testified before Congress in

March on the emergence of China as one

such threat. China is stealing a great deal of

military-related intellectual property from

the United States and was responsible for last

years attacks against RSA, Alexander told theSenate Armed Services Committee. We need

to make it more difficult for the Chinese to do

what theyre doing, he said.

In terms of tools and technologies for es-

tablishing cybersecurity, the most widely de-

ployed are workaday controls like firewalls

(used by 96% of respondents), antivirus soft-

ware (94%), anti-spyware software (93%),

and VPNs (91%). Mobile device security

(70%) and cloud services security (52%) are

lower on the list of in-use technologies, but

theyre the two that will be most in demand

as first-time security technologies in FY 2013.

Both illustrate the evolving nature of cyber-security requirements, as new technologies

are brought into the workplace, forcing se-

curity teams to respond.

When asked about the most significant

challenge to their IT security efforts, survey re-

spondents point first to a familiar problem

too many competing priorities and other ini-

tiatives, cited by 35%. Thats followed closely

by a second, equally familiar issue, resource

constraints (31%).

Notably, technology itself doesnt seem to be

much of a problem. Only 4% of survey respon-

dents cite lack of technical

gle biggest challenge to theAgencies can ease the r

redirecting funds from lo

tives toward their cybersec

the emphasis that IT pro

place on cybersecurity, an

ing paid by the White Hou

would seem that when t

should be a budget.

Ed Moyle is a senior security strateg

Kelley is a security adviser and co

[email protected].

CYBERSECURITY SURVPrevious Next

Table of Contents


2%8%

7%25%

29%

29%

How Will Cybersecurity Spending Change In Fiscal Year 2013?

Data: InformationWeek 2012 Federal Government Cybersecurity Survey of 106 federal government technology profe

Increase more than 5

Increase 1% to 5%

Decrease 1% to 5%

Decrease more than 5%

Dont know or decline to say

Stay the same
http://prevpage/http://prevpage/http://prevpage/


18/18

READER SERV

InformationWeek

The destination fo

government, and i

Electronic Newsle

InformationWeek D

informationweek.co

Events Get the lat

events at informat

Reports reports.in

for original researc

How to Contact U

informationweek.c

Editorial Calenda

Back Issues

E-mail: customerse

Phone: 888-664-33

847-763-9588 (Ou

Reprints Wrights

Web:wrightsmedia.

E-mail: ubmreprint

List Rentals Speci

E-mail: PeterCan@Phone: (631) 787-3

Media Kits and Ad

createyournextcus

Letters to the Edit

iwletters@techweb

company, city, and

Subscriptions

Web: informationw

E-mail: customerse

Phone: 888-664-33

847-763-9588 (Ou

Executive VP of Group Sales, InformationWeek

Business Technology Network, Martha Schwartz

(212) 600-3015,[email protected]

Sales Assistant, Salvatore Silletti


SALES CONTACTSWESTWestern U.S.(Pacific and Mountain states) and Western

Canada (British Columbia, Alberta)

Western Regional Director, JohnHenry Giddings

(415) 947-6237,[email protected] Account Director, Mark Glasner


Account Manager, Kevin Bennett


Account Manager, Ashley Cohen


Strategic Accounts

Account Director, Sandra Kupiec


SALES CONTACTSEAST

Midwest, South, Northeast U.S.and Eastern Canada

(Saskatchewan, Ontario, Quebec, New Brunswick)

District Manager, Jenny Hanna

(516) 562-5116,[email protected] Manager, Michael Greenhut


District Manager, Cori Gordon(516) 562-5181,[email protected]

Inside Sales Manager East, Ray Capitelli(212) 600-3045,[email protected]

Strategic Accounts

District Manager, Mary Hyland(516) 562-5120,[email protected]

Account Manager, Tara Bradeen(212) 600-3387,[email protected]

SALES CONTACTSMARKETINGAS A SERVICEDirector of Client Marketing Strategy,Jonathan Vlock(212) 600-3019,[email protected]

Director of Client Marketing Strategy,Julie Supinski(415) 947-6887,[email protected]

SALES CONTACTSEVENTSSenior Director,InformationWeek Events,Robyn Duda(212) 600-3046,[email protected]

MARKETINGVP, Marketing, Winnie Ng-Schuchman(631) 406-6507,[email protected]

Director of Marketing, Angela Lee-Moll

(516) 562-5803,[email protected] Marketing Manager, Monique Kakegawa(949) 223-3609,[email protected]

UBM TECHWEBTony L. Uphoff CEO

John Dennehy CFO

David Michael CIO

Scott Vaughan CMO

David Berlind Chief Content Officer,

TechWeb, and Editor in Chief, TechWeb.com

Ed Grossman Executive VP, InformationWeek

Business Technology Network

Martha Schwartz Executive VP of Group Sales,

InformationWeek Business Technology Network

Joseph Brau Sr.VP, Light Reading

Communications Network

Beth Rivera Senior VP, Human Resources

John Ecke VP of Brand and Product Development,

InformationWeek Business Technology Network

Fritz Nelson VP, Editorial Director,

InformationWeek Business Technology

Network, and Executive Producer, TechWeb TV

UBM LLCPat Nohilly Sr.VP, Strategic Development

and Business Admin.

Marie Myers Sr.VP, Manufacturing

Rob Preston VP and Editor In Chief

[email protected] 516-562-5692

Lorna Garey Content Director, Reports


Sek Leung Associate Art Director

[email protected]

Chris Murphy Editor


Jim Donahue Chief Copy Editor

[email protected]

Stacey Peterson Executive Editor, Quality


Mary Ellen Forte Senior Art Director

[email protected]

Business Contacts

John Foley Editor, InformationWeek Government


J. Nicholas HooverSenior Editor


Online, Newsletters, Events, ResearchPrevious Next


Copyright2012UBMLLC.All r

Table of Contents

f e d e r a l g o v e r n m e n t c y b e r s e c u r i t y s u r v e y 2012

Documents