The Office of Personnel Management breach in June 2015 was a big wake up call to our federal government, and, in its wake, a number of initiatives were launched to improve the government's cybersecurity posture. Despite several concrete improvements, progress has stalled in some areas, as demonstrated by a series of assessments conducted since the breach occurred.
In the fall of 2015, the Government Accountability Office (GAO) conducted its first assessment under the Federal IT Acquisition Reform Act, which covers cybersecurity as well as other areas of IT. Out of 24 agencies, none received an A, two received Bs, five got Cs, 14 got Ds and three agencies -- the Department of Education, the Department of Energy and NASA -- received failing grades.
Over the following six months, seven agencies raised their scores, and one saw its score go down. By the time of the following assessment, in late 2016, 12 agencies improved their scores and, again, one fell. The most recent version of the scorecard, released by the House Oversight and Government Reform Committee on June 14, shows that progress had stalled. Only four agencies improved their scores, and five saw their scores fall.
Today, only one agency, US AID, scored an A. Seven agencies scored Bs, 10 got Cs, five got Ds, and one agency, the Department of Defense, fell to an F, according to a copy of the scorecard obtained by Federal News Radio. Zeroing in on the transparency and risk management scores, five agencies received failing grades.
The government had three main problem areas to address after the OPM breach: management, bureaucracy and the technology itself. While there has been some progress on the tech front, many of the bigger organizational issues remain.
The buck stops... where?
A key lesson of the OPM breach was that the problems started at the top. “The long-standing failure of OPM’s leadership to implement basic cyber hygiene, such as maintaining current authorities to operate and employing strong multi-factor authentication, despite years of warnings from the inspector general, represents a failure of culture and leadership, not technology,” the House Oversight Committee wrote in its 241-page report about the causes and consequences of the breach.
Real cybersecurity improvements start when an organization, including its top leaders, are aware of and engaged in the problem. The OPM actually improved in this area, from a B score last summer to an A in this month's FITARA scrorecoard.
Other agencies fared poorly. In fact, leadership is one of the areas that saw the least progress after the OPM breach. Last August, nine agencies received Fs for the degree of authority of their CIOs. This improved only slightly this month, to seven.
Sign up for Computerworld eNewsletters.