Federal Information Security Modernization Act of 2014 (FISMA) Fiscal Year 2018 Annual Report to Congress

August 29, 2019

By Jean Hiefner

It’s not light table reading, so you may not have had the chance to flip through the 137-page Federal Information Security Modernization Act of 2014 (FISMA) Fiscal Year 2018 Annual Report to Congress. However, everyone in IT should be aware of a few key takeaways.

Read the Full Report

“The cybersecurity threats facing the Federal Government, and our Nation as a whole, clearly demonstrate the need for vigilance to protect the country’s data and digital infrastructure. America’s networks, both public and private, remain top targets of malicious actors the world over. This environment demonstrates that effective cybersecurity requires any organization — whether a Federal agency or a public or private company — to identify, prioritize, and manage cyber risks across its enterprise.”

While agencies did see a 12% decrease in cybersecurity incidents between fiscal years 2017 and 2018 (and none meeting a “major” incident threshold in 2018), threats exist nonetheless, particularly email-based:

“While the trend is encouraging, drawing conclusions based on this data point, particularly as agencies have adjusted to several new sets of reporting guidelines over the last few years, would be concerning… [E]mail-based threats remain prevalent, with email/phishing continuing to be a highly-targeted attack vector.”

Essentially, the top five (5) high-value asset (HVA) findings in the report are as follows:

  1. Lack of data protection
  2. Lack of network segmentation
  3. Inconsistent patch management
  4. Lack of strong authentication
  5. Lack of continuous monitoring
    (including auditing and logging capabilities)

Top five (5) high-value asset (HVA) findings

Our government-grade Thursby Sub Rosa® suite of apps tackle three (3) of those HVAs above. Here’s how:

  1. Lack of data protection: All of our apps include the ability to enforce zero data at rest policies. When these policies are enabled, users are restricted from saving or printing information accessed inside the app. This keeps sensitive information on the secure servers and off of the mobile device. The app is also designed to lock when it is not in use so that only the intended user has access.
  2. Lack of strong authentication: The Thursby Sub Rosa suite of apps support strong, two-factor authentication on Apple® iOS and Android™ mobile devices with a Common Access Card (CAC), Personal Identification Verification (PIV), or derived credential, such as Purebred.
  3. Lack of continuous monitoring: Enterprise deployments of Sub Rosa can choose from an extensive list of logging capabilities to create customized audit logs that continuously monitor user activity within the app.

Beyond addressing these HVAs, Sub Rosa can further reduce cybersecurity attacks, such as email phishing, by allowing users to sign and encrypt emails on their mobile devices. Agencies interested in adding multi-factor authentication to their mobile applications can utilize Thursby’s royalty-free software development kit (SDK), PKard Toolkit, which smoothly coordinates authentication of credentials through Sub Rosa.

From government agencies to commercial customers, if you’re ready to find out how we can improve your cyber and mobile security, contact us today at +1 817-478-5070 or sales@thursby.com.

Thursby is an Identiv company.