In a Tuesday report, the government watchdog said that while there was some improvement in agency implementation of the Federal Information Security Modernization Act between 2021 and 2022, more than half of the 23 civilian agencies it reviewed had information security programs that were “not effective.” 

But the watchdog also found that metrics for assessing security programs aren’t considered useful by some agencies and their inspectors general, who complete annual FISMA assessments. As a result, the GAO made two recommendations for the Office of Management and Budget related to improving the metrics.

“IGs reported various causes for the ineffective programs, including management accountability issues and gaps in standards and quality control. Addressing the causes could improve the federal government’s cybersecurity posture,” the report said.

The recommendations are for the director of OMB, along with partners in the Department of Homeland Security, to “develop FISMA metrics related to causes of ineffective information security programs identified by IGs” and to “improve the CIO and IG FISMA metrics to clearly link them to performance goals, address workforce challenges, consider agency size, and adequately address risk.”

OMB neither agreed nor disagreed with the recommendations, according to the watchdog.

The post Watchdog recommends changes in FISMA metrics, as agencies still ‘mostly ineffective’ at implementation appeared first on FedScoop.

In its FY2024 Federal Information Security and Privacy Management Requirements guidance, released Monday, OMB noted that the ubiquity and breadth of agency-used IoT devices underscores the federal government’s vulnerabilities to “new and more complex” cyber threats, a fact that necessitates the “strengthening of cybersecurity posture” of such devices. 

“Agencies must have a clear understanding of the devices connected within their information systems to gauge cybersecurity risk to their missions and operations,” the guidance states. “This includes the interconnected devices that interact with the physical world — from building maintenance systems, to environmental sensors, to specialized equipment in hospitals and laboratories.”

The guidance — which defines “covered IoT assets” as devices embedded with “programmable controllers, integrated circuits, sensors, and other technologies for the purpose of collecting and exchanging data with other devices and/or systems over a network in order to facilitate enhanced connectivity, automation, and data-driven insights across devices and systems” — comes on the heels of The Internet of Things Cybersecurity Improvement Act of 2020.

The IoT Act required the National Institute of Standards and Technology to issue IoT-related guidelines and standards, while also calling on the OMB director to review agency security policies and principles regarding the technology to ensure compliance.

OMB said it has “actively engaged with agencies over the past two years to learn about the diversity of IoT devices prevalent throughout the federal government,” setting the stage for the fresh instructions.

In addition to the IoT inventory deadline facing agencies, the guidance mandates the Chief Information Security Officer Council to stand up, within four months, a working group charged with creating IoT and operational technology playbooks that include sector-specific best practices. Those playbooks would then be distributed to agencies.  

“These efforts should leverage existing cybersecurity regimes and industry practices wherever feasible,” the guidance states, “so that IoT technology is appropriately integrated into the security frameworks and programs governing other forms of information technology.”

The post OMB guidance asks agencies to provide inventory of IoT assets appeared first on FedScoop.

The Federal Information Security Modernization Act of 2023 on Wednesday passed mark-up by the Senate Homeland Security and Governmental Affairs Committee, and will now be debated by lawmakers on the floor of the upper chamber.

The long-awaited reform bill seeks to improve coordination between the Office of Management and Budget, the Cybersecurity and Infrastructure Security Agency, the Office of the National Cyber Director, as well as other federal agencies and contractors.

If enacted, it will also codify the role of the federal chief information security officer, who would work within the Office of the Federal CIO.

The legislation provides additional authorities to CISA for responding to cyber breaches on federal civilian networks and also codifies aspects of President Biden’s Executive Order on Improving the Nation’s Cybersecurity.

HSGAC Chair Gary Peters, D-Mich., and Sen. Josh Hawley, R-Mo., are sponsoring the Senate bill. Companion legislation is being led through the House by Reps. James Comer, R-Ky., Jamie Raskin, D-Md., Chairman and Ranking Member of the Committee on Oversight and Accountability, and Nancy Mace, R-S.C. and Gerry Connolly, D-VA.

Commenting on the bill, Sen. Peters said: “This bipartisan, bicameral bill will modernize federal cybersecurity standards and ensure that government systems – and the information they store – are safe and secure.”

Sen. Hawley said: “I am encouraged Congress is taking bipartisan action to improve and modernize the cybersecurity of the federal government. As cyberattacks continue to expose federal technology vulnerabilities, particularly from foreign adversaries like the CCP, it is imperative we bolster our cybersecurity networks and defend our national security.”

The post FISMA reform bill advances in Senate appeared first on FedScoop.

In an audit, the watchdog said it had detected previously unidentified critical vulnerabilities, uninstalled patches and network operating systems that are no longer supported by vendors.

According to the IG, the issues could “deprive users of reliable access to information and could risk unauthorized access to, or the alteration or destruction of, critical systems.”

In addition, the VA watchdog said it had identified almost twice as many devices on the health care system’s network than listed in an inventory and also found a range of weak access controls including missing video surveillance at a data center and inadequate fire detection and suppression equipment.

As a result of its investigation, the watchdog made six recommendations to the VA CIO to improve controls at the health care system because they are related to enterprise-wide information security issues similar to those identified through previous FISMA audits and information security inspections. It also made five recommendations to the director of the Northern Arizona VA Health Care System.

VA management agreed with the six recommendations made to the VA CIO.

The watchdog typically carries out such audits at VA facilities that have not been assessed in the sample for the annual audit required by the Federal Information Security Modernization Act of 2014 (FISMA).

The post VA watchdog warns of cybersecurity deficiencies at Northern Arizona health care system appeared first on FedScoop.

“Because of the significance of the data collected, analyzed, and hosted within [the Analytical Radiation Data System], the impact of these data being compromised poses a significant risk to public health,” the agency’s Office of the Inspector General said in a Wednesday report.

The report found EPA’s Office of Air and Radiation (OAR) didn’t follow the agency’s own timelines or create plans of action to fix vulnerabilities in the system, which is used to detect radiation changes in things like air and drinking water. 

In a response included in the report, OAR cited “resource limitations” as one of the reasons for the deficiencies and said it was working on the inspector’s recommendations. The inspector said it now considers those recommendations “resolved with corrective actions pending.” 

The findings were a part of the inspector’s evaluation for the agency’s compliance with the Federal Information Security Modernization Act (FISMA) of 2014, a key information system security law, for fiscal year 2022. 

Overall, the EPA received the third highest of five possible maturity levels, which means it “consistently implemented its information security policies and procedures, but quantitative and qualitative effectiveness measures are lacking,” the report said. 

As part of the assessment, the inspector’s office assessed vulnerability scan results, which it said identified more than 20,000 “critical vulnerabilities that could impact remotely operated computers on the Agency’s network in various ways, such as remote code execution, denial of service, and memory corruption.”

The inspector said the agency couldn’t provide plans — known as Plan of Action and Milestone (POA&M) — for eight vulnerabilities it randomly selected. The OAR attributed that failure “to the significant number of vulnerabilities identified for ARadDS and the limited resources to address them.”

The office told the inspector that ARadDS is difficult to patch because it’s not connected to the agency-wide network and doesn’t receive automated updates. Patches must be done manually and issues arise with software and hardware restrictions. As a result, the OAR said, it uses a database version of the system that is not up-to-date in software or hardware. 

The inspector recommended the OAR implement a plan for prioritizing patch installations in a timeframe consistent with agency policy and document associated plans of action and milestones for the system. 

In response to the report, the EPA’s Office of Air and Radiation (OAR) agreed with the findings and said it was already making changes to address the vulnerabilities, including “separating the ARadDS network from the Agency’s network and running its own 72-hour scans to identify security weaknesses and flaws,” the inspector said. 

Among the actions it has in progress, the OAR cited a request for funding from the Technology Modernization Fund. That request was granted Thursday in an announcement from the General Services Administration, which manages the fund.

The $2.5 million award would help modernize hardware and software for ARadDS’s network and prepare it for a possible migration to the cloud, OAR said.

The post Deficiencies in EPA’s radiation data system pose ‘significant risk to public health,’ watchdog says appeared first on FedScoop.

In a Thursday report, the VA’s Office of Inspector General revealed that the St. Cloud VA Medical Center didn’t meet federal information security guidelines in three of the four areas it investigated: configuration management, contingency planning, and access controls. The only category without deficiencies was security management controls.

The VA has struggled to implement the information security standards in the Federal Information Security Modernization Act of 2014 (FISMA), according to the report. The inspector general found the VA “continues to face significant challenges meeting the law’s requirements” in a fiscal year 2021 audit. 

The inspector general made eight recommendations to the information and technology chief information officer and two to the medical center director in the Thursday report, including implementing more effective processes for vulnerability management, inventory of network devices, and preventing use of prohibited software.

While the inspection was specific to the St. Cloud center, the report noted “other facilities across VA could benefit from reviewing this information and considering these recommendations.”

Among the issues found in the review were deficiencies in the medical center’s vulnerability management, which the report said “prior FISMA audits have repeatedly found.” 

Those issues included operating systems that weren’t supported by the vendor anymore and missing security patches in applications. While the Office of Information Technology (OIT) routinely scans for vulnerabilities, it didn’t detect all of the issues the inspection team found when it used the same tools for vulnerability scanning, the report said.

Security patches hadn’t been applied in several devices with “critical and high-risk vulnerabilities,” the report said. “Without these controls, VA may be placing critical systems at unnecessary risk of unauthorized access, alteration, or destruction.”

The review also found that the medical center failed to keep an accurate inventory of its information systems and discovered 19 “special-purpose systems” running Windows XP, which the report said “has not been supported in over eight years and is prohibited by OIT.”

The medical center’s data center also didn’t have an operational video surveillance system when the inspection team visited the facility, which it said “minimizes incident response capabilities of the security force in the event of compromised security controls.”

In a response included in the report, the assistant secretary for information and technology and chief information officer agreed with most of the recommendations and said he submitted action plans.

The CIO didn’t agree with the inspector general’s recommendation for a more effective inventory of network devices, arguing devices the inspection team found that weren’t accounted for in inventories were improperly identified.

The post Watchdog finds IT security issues at VA medical center in Minnesota appeared first on FedScoop.

In a missive sent Monday, senior lawmakers requested documentation including agency communications about the ransomware attack and communications related to notifying congressional committees of the breach.

The Centers for Medicare and Medicaid Services concluded on Oct. 18 that the incident had potentially resulted in the compromise of Medicare enrollee data. However, details of the cyberattack, which hit subcontractor Healthcare Management Solutions, were not made public until mid-December.

According to lawmakers, Congress was not notified about the incident until Dec. 1.

Under the Federal Information Security Modernization Act of 2014, federal government agencies are required to notify Congress about major cybersecurity incidents within seven days of discovery.

Details of Medicare beneficiaries that were exposed during the incident included names, addresses, dates of birth, phone numbers, social security numbers and Medicare Beneficiary Identifiers.

In addition, CMS determined that the breach may have exposed sensitive banking information including routing and account numbers. Medicare entitlement, enrollment and premium information were also potentially compromised.

In the letter, which was addressed to CMS Administrator Chiquita Brooks-LaSure, the lawmakers said: “After becoming aware of a major data breach and potential exposure of Medicare beneficiaries’ personal information, it took CMS two months to determine that the data breach constituted a “major incident” as defined in the Federal Information Security Modernization Act (FISMA).”

“To assist our investigation the into this major incident and the response by CMS, please provide the following documents and communications … no later than April 3, 2023,” lawmakers added in the missive.

As with the Office of Personnel Management cybersecurity breach that occurred in 2015, affected beneficiaries have been advised to contact their financial institutions and to enroll in credit monitoring services that will be provided by the federal government agency free of charge.

The letter was signed by House Committee on Oversight and Accountability Chairman Rep. James Comer, R-Ky., and House Committee on Energy and Commerce Chair Rep. Cathy McMorris Rodgers, R-Wash. 

The post GOP lawmakers want additional details on CMS subcontractor breach timeline appeared first on FedScoop.

The grades of the Commerce, Defense, Justice, Transportation, and Treasury departments, as well as the Environmental Protection Agency and NASA rose. All other agencies’ grades remained unchanged.

GAO began issuing grades biannually in November 2015 to monitor agencies’ progress implementing IT modernization and cybersecurity improvements required by the Federal Information Technology Acquisition Reform Act (FITARA). Evolving the scorecard has long been a priority of Rep. Gerry Connolly, D-Va., who aspired to House Oversight Committee chairmanship before Republicans rested control of the House in the November election.

“We must continue to reap dividends from modernizing legacy IT systems, migrating to the cloud and maintaining a strong cyber posture,” Connolly said in a statement. “I look forward to continuing the scorecard and the longstanding tradition of bipartisan FITARA oversight in the 118th Congress.”

The FITARA 15.0 scorecard further modifies the new data center consolidation component to give credit to agencies that justified future data center closures. Agencies responding with no future closures received A grades, and the five that justified their need for future closures received Bs.

GAO changed cyber component scoring to a weighted, rather than traditional, average. The predominant Federal Information Security Modernization Act maturity level among all 24 agencies scored was level four, managed and measurable security, which meant the General Services Administration and National Science Foundation scored more than 100% for their optimized postures and received A grades.

Lastly GAO changed its scoring of agencies’ transition from expiring telecommunications and network contracts to the $50 billion Enterprise Infrastructure Solutions modernization vehicle. GSA expected agencies to be 90% transitioned by March and 100% transitioned by September, so July’s FITARA 14.0 scorecard graded their progress toward the 90% benchmark with 11 receiving Fs.

For FITARA 15.0, GAO cracked down by issuing pass-fail grades based on whether an agency reached the 90% benchmark with 19 receiving Fs. Only the U.S. Agency for International Development achieved 100% transitioned by GSA’s deadline while the Health and Human Services and Treasury departments and NASA and Nuclear Regulatory Commission passed for being more than 90% transitioned.

The post 7 agencies improve FITARA grades amid more scorecard changes appeared first on FedScoop.

Speaking with FedScoop, senior members of the federal tech policy community explained what this could mean for day-to-day operations at the IT departments of government agencies, and outlined key issues C-suite leaders will have to face during the 118th Congress:

• Increased oversight of IT and cybersecurity spending at federal agencies including the IRS, DHS and FTC
• The departure of lawmakers and federal C-suite executives with IT expertise
• Strong resistance to spending on disinformation programs that Republican lawmakers view as potentially curtailing free speech
• Heightened focus on agency record-keeping  

Increased oversight

Federal agency leaders can expect increased oversight from Republican lawmakers as they ramp up opposition to the  administration’s agenda. In particular, chief information officers and other senior officials with direct responsibility for IT project management should expect more frequent calls to attend congressional hearings and respond to questioning from lawmakers.

Scrutiny of the federal agencies that have substantial funding increases including the Internal Revenue Service, Department of Homeland Security, Federal Trade Commission and Federal Communications Commission is likely to be especially in-depth and potentially hostile.

As one federal IT policy expert told FedScoop: “The Republicans in the House are super-focused on oversight, and of the federal agencies, IRS is likely at the top of the list. They are not thrilled with the $80 billion allocated to the agency as part of the [Inflation Reduction Act].” 

Another IT policy expert agreed with this characterization and said the IRS would need to be ready “to make the case that investment in IT services is going to streamline and improve services for citizens.”

Republicans in both the House and Senate have expressed staunch opposition to the $80 billion the IRS received from the Inflation Reduction Act, of which $4.8 billion is allocated for revamping the agency’s antiquated IT and cybersecurity systems.

A September letter from Republican senators to outgoing IRS Commissioner Chuck Rettig sounded the alarm over “speculative return-on-investment” estimates from the IRS and Treasury Department over IT spending, including $347 million relating to a Foreign Account Tax Compliance Act compliance program.

Sens. Chuck Grassley, R-Iowa, and John Thune, R-S.D., last week announced their intention to introduce legislation that would give Congress a direct say in how the $80 billion in fresh funding for IRS is spent.

Carl Szabo, vice president of the tech industry group NetChoice, told FedScoop that Reps. James Comer, Cathy McMorris Rodgers and Jim Jordan — all of whom are slated to lead major committees in a GOP-led house — are sponsors of a bill to protect speech from government interference, and that they’re likely to use their new power to pursue deep-dive investigations into the tools being used by agencies, including DHS, to tackle misinformation.

Departure of expertise

A changing of the guard among lawmakers is likely to reduce focus on certain cybersecurity policy proposals including FISMA and FITARA reform. If the Republicans take the House, Rep. Gerry Connolly, D-Va., will lose his position as chairman of the House Oversight Subcommittee on Government Operations.

“No longer having Connolly setting the agenda will be a major setback for the federal IT community,” said one federal IT policy source. A potential Republican successor for Connolly remains uncertain, with lawmakers such as Rep. Nancy Mace, R-S.C., being floated as a candidate.

IT policy sources also emphasized that it will take several months for the Republican Party to hire sufficient staff to reshape the House committees, and that the likely structure of subcommittees remains uncertain. The House Oversight steering committee could, for example, establish a subcommittee focused specifically on federal IT operations.

In addition, heightened scrutiny from lawmakers raises the specter of further government agency IT leadership departures, even as government departments struggle to hire and retain cybersecurity talent. As one IT policy source: “If you’re going to get the s*** kicked out of you, are you going to stick around?”

Federal IT policy leaders speaking with FedScoop warned of a pressure-cooker environment on the Hill arising from the increased pace of oversight, but added that agency leaders have been preparing for this outcome and should have the support mechanisms in place to rebuff partisan attacks.

“Don’t forget that agencies and the White House are expecting this and have staffed up with lawyers and senior advisers,” said one policy expert.

Disinformation focus

House Republicans have expressed their intent to interrogate DHS’s attempts to tackle misinformation and disinformation. 

“All the key House Republicans that will lead tech-related committees are sponsors of legislation to protect speech from government interference, which would affect DHS activity significantly,” added Szabo. “They’ve openly said they’ll do a deep-dive investigation into misinformation and disinformation reduction efforts by the Biden administration and the tools and technologies the federal government is using to push social media platforms and the tech industry to moderate content or censor.” 

Democrats say disinformation — false information spread deliberately — is a threat to democracy and national security. However, an increasing number of Republicans regard attempts to counter disinformation as a threat to First Amendment rights.

In particular, Republicans have expressed concerns about a February bulletin from DHS saying the federal government plans to work with public and private sector partners, including major social media companies, to reduce the “proliferation of false or misleading narratives, which sow discord or undermine public trust in U.S. government institutions.” 

 CISA also published a report in June setting out plans to tackle misinformation and disinformation that some Republicans have warned could result in censorship under the guise of national security or election security. 

DHS provoked the ire of Republicans and stirred national controversy in April with its launch of a Disinformation Governance Board. The agency was pressured to backtrack and shut down the committee after it received criticism from both sides of the political aisle.

Digital record-keeping

Another key area where technology leaders can expect further attention from a Republican-led House of Representatives is in the area of digital record-keeping.

Top House Republicans earlier this month called out Securities and Exchange Commission Chairman Gary Gensler for inconsistencies and hypocrisy with digital record-keeping laws. Such criticism is likely to become more vocal, and it could result in fresh investigations being launched.

The controversial deletion of Secret Service phone data around the time of the Jan. 6 attack on the U.S. Capitol revealed wider systemic problems with federal digital records preservation. Republicans have already sent Biden administration officials hundreds of record preservation letters indicating their intent to probe the administration for illegal behavior, including regarding federal transparency laws.

“Republicans took aim at the SEC and Gary Gensler recently, so we expect that to continue in the majority because they’re mad at him for his ideological agenda and his record-keeping stuff,” said James Czerniawski, senior tech policy analyst at the conservative advocacy group Americans for Prosperity. “The Federal Trade Commission, which regulates tech companies, will also face scrutiny from Republicans for their policies and spending, including through records preservation.”

House Republicans that are likely to control key committees, including Jordan, Comer and Tom Emmer, sent the SEC a letter Nov. 2 pointing to reports that the agency was “failing to comply with federal record-keeping statutes.” 

The GOP letter also referred to recent litigation showing that the “SEC is failing to identify and produce records of official business conducted on non-email or ‘off-channel’ platforms, such as Signal, WhatsApp, Teams, and Zoom.” 

In addition, Republicans have criticized SEC officials for using the private communications platforms for official business, without producing these records in response to open-record requests, while at the same time aggressively enforcing record-keeping laws on Wall Street banks. The SEC in September fined Goldman Sachs, Morgan Stanley and other financial firms over $1.1 billion after bankers discussed deals and trades on their personal devices and apps.

Republicans on the House Judiciary Committee in August also sent the Federal Trade Commission a letter outlining their intent to investigate recent watchdog findings of the agency’s use of unpaid consultants and experts, and instructed the agency to preserve all relevant digital records.

Benjamin Freed contributed to this article.

The post What the midterm results mean for federal IT leaders appeared first on FedScoop.

In particular, the trade group said it supported the inclusion of bill language that would require the Department of Defense to produce a study on costs associated with underperforming software and other IT.

“ADI supports the inclusion of Section 236 in the House-passed version of the bill that requires the DOD to produce a study on costs associated with underperforming software and information technology,” the group wrote in a letter Friday to the chairmen and ranking members of the House and Senate Armed Services Committees.

It added: “The results of this study will assist the military departments and the other information technology leaders across the DOD to better identify systems, processes, and workloads that should be moved to more modern, cloud-based environments.”

Section 236 was included in the version of the bill that was passed by the House of Representatives on July 14.

ADI also said it would support the inclusion of language in the bill to revamp the Federal Risk and Authorization Management Program (FedRAMP) and the Federal Information Security Management Act (FISMA). Earlier this January, lawmakers introduced legislation to update FISMA, but it did not pass into law.

“We believe the FedRAMP program has provided a strong security foundation for the federal government, and it could continue to thrive with formal Congressional authorization and additional authorized funding for its operations,” the trade group said.

It added: “FISMA improves government security and promotes adoption of modern, cloud-based commercial security solutions that are the foundation of zero trust environments. In general, these pieces of legislation will provide support to programs and offices that support security and drive compliance across the federal government.

In addition to cloud migration, cybersecurity and acquisition reform, ADI says lawmakers should prioritize bill language that could improve workforce-related government IT solutions, as well as digital, AI and data solutions.

The post Trade group calls on lawmakers to focus on cloud migration, cybersecurity and acquisition reform in NDAA discussions appeared first on FedScoop.