This month, the U.S. Senate Committee on Homeland Security and Governmental Affairs published a report about the cybersecurity posture of eight federal agencies: The Department of Homeland Security (DHS), the State Department (State), the Department of Transportation (DOT), the Department of Housing and Urban Development (HUD), the Department of Agriculture (USDA), the Department of Health and Human Services (HHS), the Department of Education (ED), and the Social Security Administration (SSA). According to the report, titled Federal Cybersecurity: America’s Data Still at Risk, the information security programs of these agencies have a lot of room for improvement. The report contains the results of audits performed by the Inspectors General of these agencies in 2020. The effectiveness of each information security program was evaluated using the Federal Information Security Modernization Act (FISMA) metrics established by DHS. These metrics include five maturity levels ranked from lowest to highest: Ad-hoc (level 1), Defined (level 2), Consistently Implemented (level 3), Managed and Measurable (level 4), and Optimized (level 5). In the Senate’s report, each maturity level has a corresponding letter grade; for example, a grade of A corresponds to the highest maturity level, Optimized. Of the eight agencies examined in the report, only DHS received a B, the highest grade. USDA, HUD, and HHS received C’s. State, DOT, ED, and SSA all received D’s. The average grade of the eight agencies was determined to be a C-.
In terms of cybersecurity weaknesses, there is a significant overlap between all the federal agencies examined in the report. Five cybersecurity weaknesses affect the majority of the agencies: systems being operating without current authorizations (DHS, State, DOT, HUD, ED, and SSA), unsupported legacy systems or applications that no longer receive security patches from vendors (DHS, State, DOT, HUD, USDA, ED, and SSA), failure to quickly install security patches and remediate vulnerabilities (DHS, State, DOT, USDA, HHS, and ED), failure to maintain an accurate and comprehensive IT asset inventory (DHS, State, DOT, HUD, HHS, ED and SSA), and failure to ensure that personally identifiable information (PII) is adequately protected (State, USDA, HUD, HHS, DOT, ED, and SSA).
Four out of the five cybersecurity weaknesses plaguing the eight federal agencies—unauthorized devices, legacy systems, slow patches, and the lack of IT asset inventories—can really be boiled down to two problems: failure to keep track of all IT assets, and failure to ensure that all IT assets are compliant with cybersecurity regulations. IT assets include hardware and software used for business operations. Proper IT asset management (ITAM) can help. ITAM involves keeping an accurate inventory of all IT assets used by an organization. In addition to helping with audits, such an inventory helps with managing the lifecycles of IT assets. When IT assets are no longer supported by vendors, they become a security risk because they no longer receive updates to fix security vulnerabilities. The performance of old IT assets may degrade over time, or they become inefficient compared to newer assets. Eventually, the cost of keeping unsupported legacy IT assets outweighs the cost of replacing them. Knowing which IT assets are at the ends of their lifecycles can help with legacy modernization, the process of replacing legacy IT assets with newer ones to improve operational performance. ITAM can help with vulnerability remediation too. Theoretically, someone with a comprehensive list of all IT assets can check them all manually for vulnerabilities. If there are thousands upon thousands of assets, then enterprise ITAM software should be used. Some include features for identifying and remediating cybersecurity vulnerabilities. The problem of having unauthorized devices includes shadow IT, hardware and software that are used without the knowledge of an IT or cybersecurity group. Good ITAM should mean that all IT assets in an organization are identified. To ensure that all IT assets in an organization use current authorizations, the latest technology, and the latest security patches, one must be able to identify the assets that do not meet these requirements. Having an inventory of all the assets makes this process easier.
Aside from practicing good ITAM, agencies that received low grades would benefit from fostering greater cybersecurity awareness in the workplace; specifically, a greater understanding of the objectives of certain cybersecurity policies, rather than just the policies themselves. Consider the event documented in page 21 of the report: “When the Inspector General recommended State ensure accounts unused for more than 60 days are disabled as required by State policies, State disagreed, apparently citing a memorandum regarding another matter entirely—the policy that users change their password every 90 days.” The policy that users change their password every 90 days implicitly applies to the accounts of active users, not to inactive user accounts that might belong to former employees. Someone who understands this would know that the policies are not in conflict because they both serve the same objective: ensuring that user accounts cannot become compromised. If a hacker launches a brute-force password-guessing attack against a user account with a password that is never changed, they may eventually guess the correct password. If they have access to a user account that is authorized to access sensitive information, they could do a lot of damage. Regular password changes prevent this type of attack from being successful. If an account is not being used, then a brute-force attack against it might go unnoticed. It may also be effective if the password remains unchanged because the user remains inactive and is not around to change the password. The two policies can be reconciled when one understands that the purpose of the password policy is not the policy itself (ensuring that users change passwords every 90 days), but rather, the greater objective of ensuring that user accounts cannot be compromised. When employees understand the objectives that cybersecurity policies are trying to achieve, there would be fewer misunderstandings of these policies.
In summary, ITAM can help the eight federal agencies address most of the problems they face: untracked IT assets, legacy systems, slow patches, and unauthorized devices. Problems with IT assets cannot be addressed if the IT assets are unknown, and ITAM can help agencies keep track of their IT assets. Furthermore, cultivating a greater understanding of cybersecurity in general can help agencies achieve stronger cybersecurity by reducing misunderstandings.