The U.S. Federal Government Agencies have recently been suffering from a series of data breaches that tremendously affects government employees and US citizens. Reported in June, the hack of Office of Personnel Management (OPM) systems compromised personal information of 22 million Americans, most of them current, former or prospective federal employees. The attack, allegedly initiated by Chinese, put the some top government secret, such as the documents that are part of background check of federal employees, at serious risk.
Data breaches highlight how much the federal government agencies’ IT security were flawed. OPM is especially blamed since the hack was possible with its troubled contractor, KeyPoint Government Solutions, who does not even have basic IP address control or access logging. To made it worse, OPM obviously did not follow federal mandates to put confidential data at top assurance level(s) with strong authentication (see OBM M-04-04, December 2003 and NIST.SP.800-63-2, August 2013). Until 2014, strong authentication using Personal Identity Verification (PIV) card have not been integrated into any of OPM’s 47 major applications (see OPM FISMA Audit 2014). The security control is so bad that all an attacker had to do was to gain access to a system on the network—nearly any system that just requires username and password.
The federal government’s one month Cybersecurity Sprint campaign is an urgent reaction in the wake of the issue that federal agencies are seriously lagging behind in IT security and even implementing the Federal’s existing technical guidelines. According to the initial report came out on July 31st, use of two-factor authentication climbed from about 42% to over 72% during the Cybersecurity Sprint, which represents a significant jump in such a short time span, and immense progress after the 2011 initiative stalled at 42% in 2014. The initial results of Cybersecurity Sprint implicate that strong authentication has been a neglected but not-so-hard-to-implement IT security solution for government agencies. However, the report does not provide details about other progress in regards to other Cybersecurity Sprint goals including scanning for malicious activities and patching critical vulnerabilities. Once those information is available, we will provide updates about those results and the progress with agencies that have not met the goal of strong authentication during the “Sprint”.