The Office of the Inspector General (OIG) completed a report in November that warns of pervasive and recurring security lapses at the State Department that “significantly restricts the capability of the agency to carry out its mission or compromises the security of its information, information systems, personnel, or other resources.”
“The reports have found recurring weaknesses in six areas: Authority to Operate (ATO), Baseline Controls, Scanning and Configuration Management Controls, Access Controls, Cyber Security Management, and Risk Management and Continuous Monitoring Strategies,” the report stated.
The report also highlighted risks from internal threats, noting there are some 6,369 system administrators with access to sensitive data.
“The recent, highly-publicized breach of information pertaining to national security matters by Edward Snowden, a contract systems administrator, starkly illustrates the issue,” the report said.
A recently published survey on security technology trends in the federal government found that only 11% of Federal IT professionals said their department had implemented the Top 20 Critical Security Controls. Other key findings included:
- Only 53 percent consider the 20 CSC to be valuable to their organization’s security strategy
- 66 percent do not have plans to adopt the 20 CSC at this time
- Only 18 percent of respondents implementing controls are doing so in the order proposed
- 79 percent use the 20 CSC as general guidelines
- 88 percent believe the 20 CSC will complement, not replace, existing FISMA efforts
The National Security Agency (NSA) originally created the best security practices list, which was later expanded through a large-scale community project initiated by the SANS Institute and sponsored by the Center for Strategic and International Studies (CSIS).
The Top 20 Critical Security Controls (20 CSC) are a prioritized list of security best practices that were proven to help organizations combat the most common cybersecurity issues, as well as reduce the greatest number of exploitable cyberattack vectors.
According to a separate U.S. Government Accountability Office (GAO) study, the number of security incidents reported by federal agencies has increased 782 percent from 2006-2012. Despite this growing number, survey results indicate that the 20 CSC have not yet been adopted by many federal agencies.