In his testimony before the House Committee on Oversight and Government Reform earlier this month, Gartner research director Rick Holgate criticized the government's slow improvements in this area. "If CIOs and agency leadership are not regularly interacting with each other, CIOs and IT professionals will forever be playing catch-up, leading to excess costs, performance gaps, and security flaws," he told the committee.
The lack of accountability at the top of the organization was the number one lesson of the OPM breach, says Anthony Dagostino, global head of cyber risk at London-based Willis Towers Watson. Dagostino is an active member of the FBI’s Infragard program and is also involved with various working groups at the Department of Treasury, Department of Homeland Security and the Senate Commerce Committee.
Both President Barack Obama and President Donald Trump have directly addressed this issue in their cybersecurity executive orders, he says. "The executive orders really hold the executive department heads and agency heads responsible for cyber risk management and cybersecurity, instead of the IT department," he says. Trump's executive order was signed in March, and includes a number of measures designed to strengthen cybersecurity, including a mandate to use the NIST framework to manage risk.
"The NIST cybersecurity framework has really taken hold, not just in the government but across the US, and is becoming a de facto standard for looking at and assessing an organization's cybersecurity posture," says Richard Spires, chairman of the board at Resilient Network Systems and former CIO of the Department of Homeland Security.
"I think it sends the right message to agencies about how important this is," he says. "Obviously, the proof is in actually doing it and carrying it out, but I think these are very positive steps that are being taken."
While the OPM received an A for its leadership in the latest FITARA scorecard, its overall score barely budged, from a D in October 2015 to a D+ this month. There were a number of areas in which OPM desperately needed to improve its technology. Users were able to access the systems with just passwords, for example, and the critical databases were not encrypted. Much of the infrastructure was old and out of date, and there was a lack of network security controls.
The lack of strong authentication was a particularly thorny problem because the federal government already had a two-factor system in place, the Personal Identity Verification card. OPM ignored that mandate, and none of the agency's 47 major applications required PIV authentication, according to the audit report.
Since then, two-factor authentication has been deployed for all users accessing the OPM's new National Background Investigations Bureau, launched last fall to replace the old Federal Investigative Services. In addition, government agencies -- and the industry in general -- are moving away from having large databases full of passwords or biometric data.
Sign up for Computerworld eNewsletters.