Better TSP Cyber Security Needed/by Sonny Dothard
TSP cyber security breaches have been a nightmare for the federal government for several years now and the TSP or Thrift Savings Plan Board, Federal Retirement Thrift Investment Board, is not unfazed by it. But a recent audit report says that the agency is slow at ensuring better cyber security. The Agency became a victim of a cyber attack in 2012, and since then it has not achieved the security it should have. One might wonder, after another such awful incident why wouldn’t the agency take corrective steps?
Audit Says Thrift Savings Plan Board Needs Better TSP Cyber Security
A performance audit of the thrift savings plan board was conducted for fiscal 2016. It revealed that the agency is not complying with the metrics laid out by the Homeland Security Department as per the Federal Information Security Modernization Act. All FISMA performance audits usually take in metrics from three entities, the inspector general of the organization, the chief information officer of the organization and its senior privacy official.
Though the thrift savings plan board, FRTIB has reported privacy officer and CIO results many times in the past, it conducted the first FISMA inspector general audit in fiscal 2016. As the agency doesn’t have an internal inspector general, the audit was conducted by an independent auditor, Ernst and Young.
FRTIB Audit Mistakes
In the audit, it was highlighted that the thrift savings plan board, FRTIB has not implemented a personal identification verification program for users. The agency stated that it would implement two-factor authentication for all the users by the end of the next quarter.
The agency has also failed to implement any risk management strategy or procedure that can help in accessing the functionality of the security controls. It has been an ongoing task for the organization as it stated last year that it had several functions of a risk management office in place but not all of them.
The thrift savings plan board also doesn’t have a program that will oversee the systems run by its contractors. It doesn’t even have a formal process to monitor, measure and report the information security performance of the contractors.
Ernst and Young also highlighted that one of the biggest challenges for the board is to develop a program that monitors cyber security. As of the writing of this article, it has yet to finalize a policy in this regard. Continuous monitoring training for the executives is also not there. The executives, managers and IT administrators also need to undergo specialized security awareness and privacy coaching yet as they haven’t even done it once.
The thrift savings plan board also doesn’t have any proper procedures that will ensure seamless communication with DHS in case a cyber incident occurs. There is also a lack of policies to utilize the EINSTEIN program of the department.
Cyber Security Progress
Ernst and Young also acknowledged that the board has made some progress and will continue to do so this year as well. It also recognized that all pertinent information was not mentioned in the 2016 FISMA report.
Wenner Lippner who served as a Principal at Ernst and Young at the board’s meeting held on February 27, 2017, stated that FRTIB has continued to strengthen the posture, management practices and controls regarding information security before and after the audit. E&Y has reviewed only four of 19 FRTIB systems for the 2016 audit.
The Acceptance of TSP Cyber Security Needs
The thrift savings plan board has acknowledged many of its cyber security challenges. It had also studied the best practices of the private sector last year and signaled that cyber security would be a huge project for the agency this year.
It is vital for the agency to fix its cyber security systems if it doesn’t want history to repeat itself. The agency suffered a cyber breach in 2012, and personal information of 123,000 TSP participants was compromised via one of the contractors hired by the agency. At that time, the organization received some flak from the Congress and Labor Department for not having proper security systems in place and not paying attention to the concerns shared by the outside auditors.
TSP Cyber Security Recommendations
The agency is now trying to close the audit recommendations. It closed four out of 12 recommendations during the first quarter of 2017 fiscal. In the previous quarter, it had closed five out of 63 recommendations. To date, the organization has received 165 sub-recommendations from external auditors. The Labor Department has also issued five new recommendations and re-issued another from the previous year.
The Executive Director of the TSP or Thrift Savings Plan Board, Federal Retirement Thrift Investment Board, Greg Long has stated that the audit closure rate is not acceptable. The agency has been working through responses to about 35 audits from fiscal 2016 and 2017. It also has 11 more to respond to in fiscal 2017. Long stated that this had been a cause of the significant amount of stress in the organization.
Biggest OPM Hack Compromising Federal Employees Data Was Avoidable/by Jeff Boettcher
A recent report has stated that the attack on OPM was avoidable. The agency knew that it was being targeted and yet failed to secure the millions of federal employees data. The report also says that the agency failed to notice that it was dealing with a sophisticated enemy who probably found it simple to steal vital employee information. It has been confirmed that the attack originated in another country.
The Report on the Biggest Cyber Attacks on Federal Employees Data
The report on one of the biggest cyber attacks on federal employees data was released by House Committee on Oversight and Government Reform recently. It states that OPM had been warned that it was a target and yet the agency failed to take correct preventive actions. This ensured that it was more vulnerable to the attack.
An Interview Statement
In an interview with CNN, the Chairman of the House Committee on Oversight and Government Reform, Jason Chaffetz stated that in the report it is clearly mentioned that once the OPM knew that an attack was in progress, it didn’t take the right steps.
The Overseas Attack
The Republican representative from Utah did not confirm whether that attack came from China, which is being rumored for several months now. He does admit that it was an overseas attack. He didn’t reveal much by pointing out that the name of the country where the attack originated was classified information.
Reason Behind the Attack
Chaffetz said that the attack was organized and executed because the information garnered through it was very valuable to other countries. The data that was hacked revealed which federal employees had security clearances and who was dealing with the most classified information. It also exposed the vulnerabilities and fingerprints of those who were in charge of the classified data.
Underestimating the Enemy
The report also stated that OPM underestimated its enemy by not realizing that the enemy had sophisticated weapons and was very persistent. It also says that OPM had been warned consistently for years before the attacks that it was a target. It failed to recognize the importance and genuineness of being a target. If the agency had taken the threats seriously and implemented some basic security controls, the attacks would not have made the information of federal employees so easily accessible.
Federal Employees Say Agencies are Using Big Data Analytics for Cyber-Security/by Jeff Boettcher
A recent report has highlighted that the federal employees opine that their agencies are using big data to ensure better cyber security. Many agencies still have to deal with cyber attacks as they are unable to analyze full data. Some agencies are also overwhelmed by the volume of cyber security data.
Federal Employees Spill the Beans of Cyber Security in Agencies
The report was generated by MeriTalk and it was sponsored by Cloudera. The report states that about 81 percent of federal employees admitted to the fact that their agency is using big data in some capacity analytics for attaining better cyber security. The reports also stated that 59 percent of the respondents feel that the agency they work for deals with one cyber breach a month on an average as the agencies are unable to fully analyze data.
Mapping the Increase in Use of Big Data
The survey report stated that there has been a lot of increase in the usage of big data by the agencies to ensure cyber security from 2013 to 2016. This information was shared by a subject matter expert working at Cloudera, Rocky DeStefano who added that the adoption of big data in such a short time was a big surprise and it indicates that there is proof of real life production success of such programs.
About 90 percent of respondents also accepted that the use of big data has reduced the number of breaches while 84 percent respondents said that agencies were able to beat a cyber attack due to the latest cyber-security analytic tools. DeStefano says that it clearly shows that the agencies are finding value at the earlier stages of deployment.
The survey also pointed out that 88 percent of respondents believe that they face challenges in taking out cyber intelligence from data and that their top challenge was the sheer volume of data. They also confessed that over 40 percent of data goes unanalyzed thanks to this problem.
Lack of Cyber Security Information
It was also highlighted by the federal employees that about 33 percent of the agencies don’t even have a system in place that could gather cyber-security information they need. This information is vital to control and prevent the cyber attacks in the future. About half still think that the volume of the cyber-security data is overwhelming.
DHS to Make Federal Employees’ Electronic Devices more Secure/by Jeff Boettcher
The Department of Homeland Security is focused on making the mobiles and other electronic devices of the federal employees safer and secure. The department is doing so after getting a mandate from the lawmakers a few months back. The department is currently gathering data from the experts and aims to use it to identify and deal with potential threats.
Why DHS is working to Make Federal Employees’ Electronic Devices
DHS is working so hard to make the mobiles and other electronic devices safer because of the Omnibus bill that was passed by the congress in December 2015. The bill included section 401 of the Cyber security Act of 2015 which made it mandatory for DHS to carry out a study of the current mobile security methods and reveal whether these are enough to deal with the mobile security challenges.
The aim of the study being conducted by the DHS is to identify all the threats to cyber security of federal networks and information. After the identification, the organization would develop recommendations on addressing the threats. The recommendations would be as per the industry best practices and industry standards. The organization is also supposed to create a plan that assures accelerated adoption of highly secure mobile device technology.
It is pertinent to add here that the study excludes the Department of Defense and other agencies that fall under the category of the intelligence community.
As the DHS is following the orders, it is getting assistance from experts of the Wi-Fi and cellular industries as well as the academic experts by initiating a request for information (RFI). The information needed by the DHS includes information on services, products, technologies and capabilities. The deadline for the responses is August 22, 2016. The information collected would not lead to any instant action or issuing of new contracts. The information is being gathered just for planning and market research purposes. In the RFI, the respondents are asked to identify considerations and constraints that affect the mobile and other technologies. They are also asked to give recommendations about how the situation can be improved.
The scope of the information collected by the DHS includes not only the smartphones and tablets used by the federal employees. It also includes operating systems, mobile apps and other embedded components of mobiles like enterprise mobile services and infrastructure, baseband radios and wireless networks.
OPM Creates Strategies to Retain Cyber Security Federal Employees/by Jeff Boettcher
As OPM and other federal agencies are facing some problems in hiring and retaining federal employees who are experts in cyber security, OPM has created the Federal Cybersecurity Workforce Strategy to deal with the problem. The strategy aims to increase the number of cyber security personnel, not only at the government, but also at overall U.S. workforce.
The Aim of Strategy to Hire Cyber Security Federal employees
OPM Director, Beth Cobert recently announced that the strategy was created to ensure that more federal cyber experts are hired and retained as they can strengthen the security of federal systems, networks, and assets. She also added that cyber security is a shared responsibility of the leadership, employees, private industry, contractors as well as the American people.
OPM has outlined four core strategies to increase the cyber workforce at all levels. The strategies are mentioned below.
Education and Training
The first strategy includes offering a CyberCorps Scholarship for Service program and communicating with the universities regarding their resource and teaching needs. This strategy also proposed funds of $62 million to enhance cyber security education.
OPM is also focused on hiring the best talent by streamlining the existing hiring processes, focusing on diversity outreach and searching for opportunities to build a cyber security team as a part of the Presidential Management Fellows program.
Retaining the Employees
OPM aims to enhance the retention of cyber talent by creating transparent career paths and developing a government-wide cyber orientation program that promotes sharing of information.
Seeking the Workforce Needs
The cyber security workforce needs of every agency would be identified by making use of the National Cybersecurity Workforce Framework that points out identifies 31 discrete specialty areas within cyber security workforce. The framework was created by National Initiative for Cybersecurity Education (NICE) partner agencies.
The Success Factors
Cobert also stated that these changes would be implemented over time and the long-term success of these strategies would depend on attention, resources, and innovation from all levels of government. She also added that the initiatives mentioned in the strategy would play a key role in establishing, growing and strengthening a pipeline of cyber security into the future. It is being hoped that this time OPM would succeed in hiring and retaining the best federal employees who specialize in cyber security and have the caliber to protect government from advanced cyber attacks.
OPM Offers Cyber Security Tips to Federal Employees/by Jeff Boettcher
OPM is still correcting the mistakes it made that led to two massive cyber security breaches last year. The agency recently directed all the federal employees to take some measures to ensure their cyber security remains intact like changing their passwords often. OPM is also increasing the length and coverage of those people who were impacted by the breach and whose accounts were hacked. More details on the extension of the period would be shared later this year.
OPM Asks Federal Employees to Stay Vigilant
The Acting Director of OPM, Beth Cobert recently wrote a letter and urged the federal employees to become more vigilant towards the cyber hygiene. She stated that the current electronic environment is very complex and so there is a need to be on guard against malicious people as well to protect the security of the technology people use on a daily basis. She suggested that feds should constantly update their passwords and stay aware of all the phishing email scams. She says these sorts of actions would prevent any cyber intrusions.
Seeking Identity Protection
About 2.7 people who were impacted by the cyber attacks that impacted more than 21 million people have signed up for free identity protection services that are being offered by ID Experts. This was revealed in the data shared by the agency.
More Insurance Coverage for the Victims
In the letter, Cobert also highlighted that the agency is implementing the fiscal 2016 Consolidated Appropriations Act. This act would increase the length as well as the amount of insurance coverage offered to people who were victims of the cyber hacks.
Cobert said that the agency has already increased the amount of identity theft insurance from $1 million to $5 million. This change came into effect on June 1, 2016. She added that the agency is putting in a lot of efforts towards extending identity protection services and credit monitoring services to the people who were impacted by the attacks. The extension would ensure that these people are offered these services for at least 10 years. Cobert concluded that the details of the extension would be shared later this year.
It seems that the agency and its personnel are doing their best to ensure that the victims of the cyber attacks, current and former federal employees, feel better and such an attack never happens again.
New Updates on Chicago’s Retirement Benefits Accounts Breach/by Jeff Boettcher
A few days back we reported how investigators were keen on finding the culprit of retirement benefits accounts. The retirement benefits accounts of the municipal workers were infringed and some money was stolen. Earlier, the investigation was leaning towards hacking but as per the new reports, the data was stolen not hacked.
The Money Stolen from Chicago’s Retirement Benefits Accounts Breach
As per the latest reports the city employees in Chicago lost about $2.6 million when their retirement benefits accounts were infringed. Though nationwide, the private firm managing the accounts deposited the money stolen from the accounts within 5 days time, the investigators are still working hard to find the source of the breach and it seems that they have got an idea of how it was done.
Earlier the investigators were suspecting that some professional hacker or a group of hackers were responsible for the stealing but now the reports are different. The investigators now believe that the bad guys had access to personal information of municipal employees and they used that information to set up online profiles with the city’s deferred compensation plan. After creating the accounts, they took out the loans and the city lost the money.
In a recent statement given by the Nationwide spokesperson, the company admitted that they believed that the accounts were not hacked but someone stole the information. It is pertinent to add here that the company is playing a major role in investigating the fraud along with the teams of city officials and some federal officers.
Hushed Up Details
When the spokesperson was asked whether it was an inside job, the person refused to offer a comment and stated that no more information would be divulged as the investigation was still ongoing.
Chicago’s Comptroller Opinion
A spokeswoman representing the Chicago’s Comptroller also shared some update. She stated that the fraud was conducted by an individual or group who succeeded in accessing the personal information and created a web profile. Then the profile was used to take out a loan from the retirement account.
The Corrective Measures
Nationwide had started taking corrective measures soon after the breach. It returned the money to all 58 accounts that were infringed within 5 days. The company is now offering two years of free credit monitoring to all the customers who were affected by the retirement benefits accounts breach.
Investigators Keen on Finding the Culprit of Retirement Benefits Accounts/by Jeff Boettcher
The retirement benefits accounts of several municipal employees were breached recently. The breach was detected by the company managing the accounts. Some money was stolen from the accounts and the company returned it soon. The company has also intimated the account holders and federal authorities of the breach and an investigation has begun to pinpoint the source of the fraud.
The Breach of Retirement Benefits Accounts
The breach came to light when the employees working for Nationwide Retirement Solutions, the company that currently administers the accounts on behalf of the city noticed some suspicious activity. The suspicious activity was noticed at about 457 deferred compensation accounts that are meant for municipal employees. It is pertinent to add here that these accounts are very like the 401k accounts.
The suspicious activities were noticed on June 1, 2016, and when the matter was investigated, it was found that the accounts of 91 people were breached. Some money was withdrawn from around 58 of the breached accounts while 33 accounts remained as it is.
The culprit of the breach is unknown as of now. It is being believed that the culprit was a person or a group that apparently created a web profile to take a loan from a retirement account and accessed personal information by using illegal means. These points were highlighted by the officials involved in the investigation.
The investigation into the serious matter began when Nationwide learned of the breach and notified the federal authorities. The account holders were also intimated of the breach. Ryan Ankrom, who is serving as a spokesperson for Nationwide Retirement Solutions recently stated that the company is working in conjunction with the federal authorities and city officials in order to pinpoint the source of the breach. He also added that they think it’s a fraud at this point.
The total amount of money stolen from the accounts is not clear yet. Ankrom said that the company has returned the stolen amounts to each of the account holders within 5 days of the breach.
The Future Plan
Erin Keane who is serving as the acting city comptroller has also made a statement. He said that the company and the city are working together right now to ensure that the security of the deferred compensation accounts that are like the retirement benefits accounts is maintained.
Many Federal Employees Believe Cyber Security is Still an Issue/by Sonny Dothard
It’s been a year since the cyber attack on OPM shook the entire nation. Unfortunately, the federal agencies are still not prepared to deal with the problem of cyber security in a perfect manner. Some federal employees think that the agencies are trying to solve the problem of cyber security but are unable to do so. The reasons vary from lack of understanding of the problem to lack of skilled manpower.
Lack of Confidence among Federal Employees
The private and public sector had a year to learn from the mistakes that led to the massive cyber attack on OPM. Still the federal employees and government contractors think that their workplaces do not have a better understanding of cyber security. Some of them think that there is a lack of stronger defenses for cyber security.
The Vital Survey
The lack of confidence and several other facts were mentioned in the survey conducted by Federal News Radio. The survey was conducted as a part of a report entitled The OPM Breach: What’s different now. In the survey, just 25 percent of respondents admitted that they had confidence in the fact that their workplace understood cyber risks. A whopping 75 percent stated that they were not sure of the fact whether the office had a clear understanding of data threats.
Around 45 percent of people working in the public and the private sector have admitted that their office is not well prepared for a cyber attack that may happen in the future. Only 16 percent of the respondents stated that their office is well prepared to deal with a cyber attack in the future. About 37 percent of respondents were not sure whether their office or agency is well prepared to deal with an attack or not.
The Exact Words
One of the respondents stated that the federal government is more reactive and not proactive in dealing with cyber threats. Another respondent stated that the IT department in his or her organization is too broadly focused. The person added that the IT department is trying to detect the problems but it’s still a monumental task for them and they are up against very old cultural issues.
The Survey Details
The survey was done from May 20, 2016, to May 27, 2016. The survey included 275 respondents, many of who were federal employees. About 12 percent of the respondents were contractors, a quarter belonged to the intelligence or Defense Department and about one-third were large civilian agency employees.
OPM Cyber Security Breach Source Still Not Found/by Jeff Boettcher
The federal government has still not found the source of the major OPM breach that revealed the data of over 20 million federal workers last year. The officials have hinted that the attack might have originated from China but have failed to prove that. The officials are still not sure on whether the highly sensitive case would be closed anytime soon as they have failed to provide a specific timeline.
Why the Source of OPM Breach is still not Pin Pointed?
When Sen. David Perdue (R-Ga.) spoke of the matter during a Senate Foreign Relations Committee hearing on U.S.-China relations, the officials were unclear on the points made by them. Antony Blinken, who serves as the Deputy Secretary of State stated that the source of OPM breach hasn’t been identified yet because finding the exact source of the intrusion is an on-going effort.
Is China the Source of the Breach?
Many media sources have pointed out that the government officials have privately admitted that China was behind the attack. They even hinted the same in the public but have offered no proof of any of it so far.
The Pending Acknowledgement
Senator Perdue also wanted to find out whether the attacks were acknowledged by the Chinese government as a part of the cyber deal that was concluded last September. The deal was signed by President Obama and his Chinese counterpart Xi Jinping.
The deal was done to ensure that there was a complete eradication of digital espionage for commercial gain. It also aimed at ensuring that the two countries cooperate in a better manner on the cyber issues because cyber issues have been an irritant between China and the U.S. relations in the last few years.
Blinken responded that he is not recalling anything that resembles an acknowledgement of the attack in the deal. He added that the U.S. made it clear that some major cyber actions like the breach on the OPM would not be ignored by the country.
When Perdue asked Blinken about a timeline by which a definitive report on what happened with the OPM would be submitted, the federal representative was unable to provide any specific timeline. It seems that the federal government still has a long way to go before they actually find the source of the attack and punish the ones responsible for the one of the major cyber attacks that happened in the U.S.
Federal Government Cyber Security Still the Worst: Report/by Jeff Boettcher
The federal government, state governments and even the local governments, still have the worst cyber security protocols when compared to the major private industries. The report also highlighted which agencies and sectors were the best performers and which were the poorest performers.
Federal Government Agencies’ Performance
Many federal agencies were among the poor performers as they got a low score on software patching flaws and malware, as well as, network security. NASA was most vulnerable to malware intrusions and email scams. It ranked last place in the performance chart.
The report was generated by SecurityScorecard, which is a venture-backed security risk monitoring startup. The report was prepared after measuring the current cyber security of government and private industries such as retail, healthcare, transportation, etc. The performance was measured by variables such as exposure rates of passwords, susceptibility to social engineering and defenselessness against malware infections. The report included low-performing government agencies and surprisingly, The U.S. State Department was on that list.
Worst Industries and Regions
The three industries that have the worst cyber security include pharmaceutical sector, telecommunications, and the education sector. The worst performing regions were Washington, Connecticut, Maricopa County, Arizona and Pennsylvania.
This new report has once again highlighted the government’s inability to keep its cyber security up to the mark. The government faced a lot of criticism last year when OPM was hacked and data of nearly 22 million Americans was leaked due to poor cyber security.
Though there seems to be major loopholes in the government cyber security initiatives, there are some government agencies that performed well on the security scores. The Hennepin County Library in Minnesota and the U.S. Bureau of Reclamation were among the top performers. The regions that have good cyber security are Nevada and Clack County.
The federal government has taken some measures to deal with the cyber security issues. The foremost have been the Obama government’s decision to seek $19 billion towards cyber security for the fiscal year 2017. The amount if approved would include $3.1 billion to be spent on technology modernization of several federal agencies.
Federal Employees Don’t Trust Agencies’ Cyber Security/by Sonny Dothard
Federal employees don’t think that cyber security within federal agencies is up to the expected levels. This was revealed by a survey conducted by Dell. The survey also highlighted the fact that federal workers don’t feel that their data is safe with the agencies. They also don’t feel that the respective agencies are modifying their IT strategies as necessary.
Survey and Federal Employees Participation Details
The survey was conducted by Dell in association with the Government Business Council. The participants were randomly chosen from the list of subscribers who have subscribed to Nextgov, Government Executive, and Defense One. Over 460 senior level federal employees took part in the survey and over 50 of these were GM/GS 3 or above.
The respondents were knowledgeable with regard to cyber security and they were a part of more than 30 federal agencies. The participants were also from civilian and government agencies.
Numbers Speak of the Diminishing Trust
About 35 percent of respondents feel that they were confident that the federal agencies have the ability to protect information systems from cyber attacks. This number was 65 in 2014 so it’s a 30 point drop. Only 28 percent of respondents feel that federal agencies can protect their data. This number was about 58 percent in 2014.
As a part of the survey, the respondents also pointed out the cyber threats that need to be prevented. The respondents think that emails with malware are the biggest threat followed by phishing attempts and viruses. 63% of respondents pointed towards email malware, 62% towards phishing attempts, and 50 percent towards worms or viruses.
The respondents also pointed out that the hactivists are more of a threat when compared to nation-states and criminal organizations.
The respondents also feel that the federal agencies are not making any progress with regard to implementing IoT security and leveraging the Internet of Things. In 2014, 16 percent said that their agency was already leveraging the IoT and 14 percent said that the agency was quickly moving to leverage it. These percentages have now dropped to 9 percent and 11 percent only.
Lack of Strategies
About 38 percent of federal employees think that their agencies are adapting better cyber security strategies with regard to the IoT. Only 19 percent federal workers agree that it’s a priority with their agency.
OPM Urges Agencies to Close Skill Gap/by Jeff Boettcher
OPM Director, Beth Cobert is determined to close the skill gap across all government jobs. The agency has enlisted the assistance of Chief Human Capital Officers (CHCOs) in this regard. They are to create reports on how to close the skill gap in the short term as well as the long term. The agency is aiming to close all the skill gaps within a decade.
The Instructions of OPM
OPM has instructed the CHCOs to find out why any occupation becomes at risk in their own agency and in other agencies as well. The focus needs to be on mission critical jobs too. Then they need to develop strategies that can help solve this problem. The strategies they develop are supposed to be government-wide so that all the federal government agencies can benefit from them.
The CHCOs are also bound to submit quarterly and annual reports with regard to this problem. All these instructions were given through a letter written by OPM acting Director Beth Cobert. She wrote the letter on April 15th to the federal HR community.
The Mission-Critical Jobs
OPM has created a list of mission critical jobs. The list is given below.
- Contract Specialist
- Cyber Security
- Human Resource Specialist
- STEM which denotes science, technology, engineering and mathematics occupations
The agency is directing the CHCOs to create a short-term strategy for four years and a long-term strategy for ten years that would assist in closing the key skill gaps in mission-critical jobs. Again, the strategies must be created with regard to not only in their own agencies but in all the agencies related to the government.
The CHCOs can take the assistance of the quarterly reviews offered by a data program called HRStat. The HRStat is a program that identifies the mission-critical occupations in which the agencies have a bit of trouble in recruiting as well as retaining skilled employees. The program was developed a few years back and provides useful data even now.
The CHCOs would get all the guidance with regard to creating the strategies. OPM will be sending guidance with regard to not only developing the said strategies but also the reporting procedure to reduce any scope of error. The guidance would be shared with all the federal government agencies soon, according to Cobert.
TSP Board May Need More Funding/by Jeff Boettcher
The Thrift Savings Plan, or TSP Board may need more funding for the fiscal year 2016. The main reasons behind it are the cyber security upgrades and the external audits. Another reason is due to the increasing membership. The board is not sure about the extra money needed for the budget, but plans to lay it out soon.
TSP Board Budget Data
The Federal Retirement Thrift Investment Board (FRTIB) was assigned $220 million in 2016. The board is predicting that it could spend $151 million even before the beginning of third quarter. The main reason behind such spending is the need to have resources that help in cyber security upgrades and external audits.
The announcement regarding the need for more funding was made by the FRTIB executive director, Greg Long. He made this announcement during the monthly meeting of the board that was held on April 25. He said that though the agency needs to do a bit of work regarding the budget allocation, it seems almost certain that they will need more money from the board. The estimate regarding the amount of extra money required would be clarified next month.
The Cost of Cyber Security
The main reason behind the agency running ahead of schedule on the budget is that it is putting a lot of money in to boost its cyber security. The agency is working with external auditors to finish a study of best practices with regard to cyber security in the private sector firms.
More Data and Better Service
The agency is also focused on using more data to take better decisions and offering better communication and services to the TSP participants. The TSP enrollment is higher than it has been before, and it is expected to continue to grow until 2018.
About 89% of people who have opted for Federal Employment Retirement System (FERS) have enrolled in TSP. The number of active duty military members who are enrolled in the TSP is about 44%.
Call Centre Service
In order to provide better service to the growing TSP members, the agency is aiming to create a better consolidated call service center as a part of the Expanding Participant Retirement Engagement Services and Solutions (ExPRESS) contract. The draft related to the RFP of ExPRESS participant call center services is scheduled to be released during the first week of May according to the board.
Federal Government Advises to Uninstall Apple’s QuickTime Program/by Jeff Boettcher
Apple’s popular program QuickTime is now perceived as a threat by the federal government. The Department of Homeland Security suspects it can become a tool to hack a Windows computer. The DHS is urging people to uninstall it as soon as possible. Apple is also helping people uninstall it by not updating it and giving instructions on how to uninstall it.
Alert Sent by the Federal government
As soon as the DHS realized that the program is a potential threat to every US citizen, it sent an alert telling all Windows customers to uninstall the program. The unsupported software is said to be vulnerable to viruses and hacks according to the DHS officials. The alert stated that the only solution to this major threat was to uninstall the program quickly.
Apple is not providing support for the software anymore and it has also decided not to add any security updates for the software. The company made these decisions despite knowing that the software has two vulnerable points that may allow hackers into people’s computers.
The last update related to the software came in late January this year. The company has also been fixing software bugs regularly for a few years. Apple’s last QuickTime release for windows was in 2005, and since then, the company seems to be pulling off from the responsibility of fixing the software or enhancing it for windows users.
It is an interesting fact that although DHS and Apple are encouraging Windows users to uninstall the software, it is still available for download. For people who need assistance in uninstalling the software, Apple has dedicated a whole page filled with the instructions on its website.
QuickTime and Mac
Apple is not pulling off the software for Mac Users. In fact, apple delivered a sizeable QuickTime upgrade for Mac OS X in the year 2009 and its support and security updates are still active.
The federal government or DHS’s alert to remove the software is not the only request to the Windows users. A security company by the name of TrendMicro has also blogged that QuickTime is very vulnerable to cyber attacks. The security company made it clear that there have been no such attacks so far, but it would be wise to remove the software from Windows anyway.
OPM Data Leak May Damage Census Response Rate/by Jeff Boettcher
Commerce Chief Information Security Officer, Mr. Rod Turk recently stated that the OPM data breach of last year may severely affect the 2020 census. He also added that people may not participate in the census at all. The need for a census procedure is probably the highest at the moment.
The Question Posed by OPM Attack
The OPM attack that occurred in June 2015 and compromised the data of nearly 22 million former and current employees is predicted to harm public’s trust in the government. It can also make the people think that if the government cannot keep the data secure why should they add more through the census?
In 2010, about 6 percent citizens showed reluctance to participating in the census. 2 percent of them even followed through the threat. Though 2 percent is not a high number, it is certainly noteworthy. If this number increases a bit, it could seriously hamper the conclusions of the census.
If the conclusions of the census are not ideal, it would affect federal spending on programs, private sector decisions on investment, representation in presidential elections and congress, compliance with civil rights laws and many other vital processes.
Public Trust in Government is Deteriorating
Pew Research has earlier reported that only 19 percent of people trust the government to do the right thing most of the time or just about always. Mr. Turk admits that public trust is vital for any census. The trust being near the all time low is not a good thing.
The low faith in government may have been boosted by the OPM cyber security hacks, but it was not too positive before then either. The Census Board has decided to change or remove the offensive questions before that too. The questions that were termed offensive in 2010 census were removed or changed.
Learning the Lesson
Mr. Turk admitted that The Census Board is putting many efforts into ensuring that the census data remains safe. The organization is focused on ensuring that the cyber risks are constantly diagnosed or mitigated, phishing campaigns are effectively blocked, and the Personal Identity Verification cards system is strengthened so that only the employees can gain access to the most sensitive assets.
It seems that the cyber security culture of the Census Board might be successful in not repeating the same vulnerabilities as the OPM showed last year.
Private sector studied by the TSP board for insight in cybersecurity/by Matt Pierce
The office of Enterprise Risk Management of the Federal Retirement Thrift Investment Board has been in operation for around 3 years now and they have been really busy since their inception. Currently, they have decided to study the private sector in a bid to collect insight in cyber security.
PRIVATE SECTOR TO BE STUDIED BY THE TSP BOARD:
The office has been doing a great job, as indicated by Jay Ahuja who is the FRTIB’s chief risk officer. He admits though that there is still a long way to go and that their job is far from being finished just yet. Ahuja said on March 29th that they have been working on risk assessment and management for quite some time now and have been setting up infrastructure for it too but still there is room for improvement just like there was at the start.
In their bid to fight cyber terror, the office of enterprise risk management has decided to study the private sector to be astutely able to know how to tackle cyber security and risk management related issues. Ahuja says that there is a strict timeline being followed by the organization and that he expects them to wrap things up by the mid of May so that the board can go ahead and contemplate how to move forward. FRTIB has had a hard time tackling cybersecurity as well. Around 123 thousand participants’ information was compromised through one of the board’s contractors in 2012. Since then they have been receiving heavy criticism about the security issues that they are having.
While the study is still yet to take place, it’s expected that it’s going to not only help in creating awareness but will also provide the organization with some valuable insight on how to tackle cyber threats and ensure cybersecurity.
Federal Government Agencies Still Lagging Behind in Cyber Security/by Sonny Dothard
A report generated by the Office of Management and Budget has revealed that though many federal agencies are trying hard to ensure the security of information, the efforts are far from enough. It is being suggested that the federal government must take steps to ensure that the advanced attacks done by malevolent people are combated in an appropriate manner.
The Vulnerabilities of Federal Government Agencies
The Office of Management and Budget released an annual cyber security compliance report recently. In this report, it was pointed out that there have been scores of improvements in securing information in the fiscal year of 2015. The report also stated that the measures taken were not enough as the federal agencies are still dangerously behind in data protection.
Lack of Plans
The annual report on agency compliance with Federal Information Security Modernization Act of 2014 that was delivered to the Congress also pointed out that the federal networks, information systems, and data are also very vulnerable to attacks. The report also exposed the lack of formal plans for securing against cyber attacks in 15 or 24 federal agencies.
The Separate Reports
It is worthy to mention that the NCUA was not a part of the 24 agencies as it submitted a separate FISMA report. Apart from NCUA, 59 other agencies also submitted FISMA reports. The results in these reports were only in aggregate form.
The report also suggested that the federal government must consider stepping in directly to ensure that the right measures are taken to develop proper systems of defense against the malicious people who initiate cyber attacks and who are getting increasingly sophisticated.
Areas that Need Improvement
Risk management practices, identity, access management and configuration management are the core areas that need improvement. This was pointed out in the independent evaluations of information security programs. These evaluations were done by agency inspectors general. A call for adding in privacy protections throughout systems’ lifecycles was also made by Senior Agency Official for Privacy reviews.
During the FY 2014, the number of security attacks on federal government agencies were 69,851 but unfortunately, it increased to 77, 183 in FY 2015. These numbers clearly highlight that the government must take some serious steps to reduce the number of cyber attacks in the current FY or else be at the risk of another data leak such as the one suffered by OPM last year.
INTRODUCING MR. CYBER SECURITY by Dianna Tafazoli/by Dianna Tafazoli
Clifton Triplett is the Cyber Advisor in the Office of Personnel Management. Mr. Triplett comes from SteelePointe Partners, a global management consulting company. In the wake of the cyber security attacks and the fingerprint theft of millions of federal workers and their families, including retirees and contractors, security is not only sensitive but a key determinant as to the tenure of the OPM Director and the Cyber Advisor.
Mr. Triplett has over 30 years of experience under his belt with military experience as well. Mr. Triplett is a graduate of the U.S. Naval Academy and seems to have the knowledge and discipline needed to form partnerships and put strategies in place that just might protect the safety and security of federal workers going forward. When a candidate has military experience on their resume it somehow just reads better and tells another story. Military personnel are trained first and foremost to be leaders and take on responsibilities through a collaborative effort. Who knows better than military personnel how to work in a team?
Mr. Triplett certainly has his work cut out for him but with his work experience in some of the major Fortune 200 companies he just might have what it takes to prevent another breach of security for federal workers.
P. S. Always Remember to Share What You Know.