White House hands out ‘cyber sprint’ grades

The White House said Friday that 14 of 24 federal agencies hit a major goal during a White House-ordered 30-day “cybersecurity sprint.”

In the days after the first of two mammoth hacks were revealed at the Office of Personnel Management (OPM), the White House directed all agencies to patch critical vulnerabilities, restrict the number of people with access to privileged data and quicken the adoption of multi-factor authentication.

{mosads}In results released Friday, the White House said 14 agencies had met the clearest benchmark: requiring multi-factor authentication for at least 75 percent of all network users.

With multi-factor authentication, users must verify their identity with a unique one-time code or personal digital card, in addition to a traditional login.

The OPM was near the top of the list, with 97 percent of its users now needing to use multi-factor authentication. The result represented a 56-percentage point jump for the agency from shortly before the sprint began in early June.

Lawmakers roundly berated OPM officials in numerous hearings following the hacks for failing to aggressively adopt basic cyber defense mechanisms, such as encryption and multi-factor authentication.

The General Services Administration led the way with 99 percent adoption of multi-factor authentication, while the Department of Transportation and Department of Homeland Security (DHS) hit 90 percent or above.

Overall, the administration said the entire government increased its use of strong authentication for users from 42 percent to 72 percent during the sprint.

“While these statistics are just a few examples of a marked improvement in identifying and closing the gaps in the Federal cyber infrastructure, we still have more work to do,” Federal Chief Information Officer Tony Scott said in a Friday blog post.

Some surprising agencies, including the State and Justice Departments, could be found near the bottom of the list.

Both agencies appeared to focus on boosting strong authentication just for so-called “privileged users” — those with access to sensitive data.

Eighty three percent of DOJ’s privileged users now need to use multi-factor authentication, up from 26 percent. Similarly, at State, the percentage jumped from 21 to 76 percent by the end of the sprint.

But overall, both agencies still only require strong authentication for between 28 and 31 percent of their total users.

The Energy Department pulled up the rear, scoring in the low teens across the board.

“We are reminded nearly every day that more needs to be done in order to stay ahead of the ever-evolving threat,” said Sen. Tom Carper (D-Del.), in a statement about the report. “Today’s results from the administration’s cybersecurity sprint underscore that need. Far too many agencies need to step up when it comes to strengthening their cyber defenses.”

Carper, the top Democrat on the Senate Homeland Security & Governmental Affairs Committee, is backing a bill with the committee’s chair, Sen. Ron Johnson (R-Wis.) that would give the DHS more powers to defend other agency’s networks from hackers.

“Congress has a responsibility to help, too,” he said. “We know all too well that cybersecurity is not only a sprint, it’s a marathon.”