Agencies Waited Nearly a Month and a Half to Fix High-Threat Vulnerabilities

The White House has a new goal to stop malicious emails and compromised websites from scooping up government information. And it's tracking agencies' progress on meeting the objective.

But preliminary findings demonstrate agencies have got their work cut out (see page 11). 

Initial "anti-phishing" and malware defense reports show the mean time for dealing with "high findings" flagged by vulnerability scans was 42 days. Malicious code was in at least one agency's systems for 126 days. 

In addition, agencies waited more than two weeks between scans, according to the mean scores. All the data is posted on Performance.gov, a federal database that tracks progress in meeting ambitions. 

New, unnamed tools and training programs will be rolled out to protect government data from what the White House calls "a growing cyberthreat,” the Anti-Phishing and Malware Defense metrics state.

The departments of Defense, Energy and State, Office of Personnel Management and 1600 Pennsylvania Avenue are just a few of the agencies successfully hacked by suspected nation states in the past couple of years. 

According to Verizon's 2014 annual data breach report, 20 percent of cyber espionage operations relied on website compromises to deliver spyware to a victim's computer, and 78 percent used carefully-crafted emails to target victims.