A new White House report says three quarters of Federal agencies are not managing their cybersecurity risk correctly and are consequently at “risk or high risk” of data theft or network intrusion due to poor cybersecurity programs.
The recently-released Federal Cybersecurity Risk Determination Report and Action Plan found that 71 of the 96 Federal agencies assessed are “not equipped to determine how threat actors seek to gain access to their information,” and these agencies are missing either “fundamental cybersecurity policies” or have “significant gaps” in their programs. Just 26 percent of agencies were deemed to be managing risk appropriately.
While it takes the majority of Federal agencies to task for failing to reduce cybersecurity risks, the report does not name any of the agencies it assessed.
President Trump commissioned the report in May 2017 upon the release of his Cyber Executive Order, which required all Federal agencies to submit risk assessment reports to the Office of Management and Budget (OMB) and the Department of Homeland Security (DHS). The EO also tasked OMB and DHS with evaluating the Federal agency risk assessments and submitting their findings to the President.
The agency risk assessments leveraged the Federal Information Security Modernization Act (FISMA) of 2014, Chief Information Officer metrics from FY2017 and Inspectors General metrics from FY 2016.
OMB and DHS worked with the National Institute of Standards and Technology (NIST) and other Federal agencies to standardize a process for evaluation, and graded the 96 agencies across 76 different metrics. The resulting 21-page report appears to render damning conclusions for most.
“Only 27 percent of agencies report that they have the ability to detect and investigate attempts to access large volumes of data, and even fewer agencies report testing these capabilities annually,” the report states. “Simply put, agencies cannot detect when large amounts of information leave their networks.”
The report cited four key findings–a lack of situational awareness, lack of standardized IT capabilities, limited network visibility, and lack of accountability for managing risk–as the main contributors to agency risk. It also outlined four “core actions” to target each of those deficiencies, respectively:
- Increase cybersecurity threat awareness among Federal agencies by implementing the [NIST] Cyber Threat Framework to prioritize efforts and manage cybersecurity risks;
- Standardize IT and cybersecurity capabilities to control costs and improve asset management;
- Consolidate agency SOCs [security operations centers] to improve incident detection and response capabilities; and
- Drive accountability across agencies through improved governance processes, recurring risk assessments, and OMB’s engagements with agency leadership.
The latter point reinforces the concept of CIO authority enhancement continuously referenced in the more-recent IT EO, the FITARA scorecard, newly-proposed Congressional legislation, and statements from White House officials.
“The assessments show that CIOs and CISOs [chief information security officers] often lack the authority necessary to make organization-wide decisions despite direction to centralize authority in statutes such as FITARA and FISMA,” the report states. “OMB and the IGs have repeatedly found that senior-level visibility and authority is necessary to drive consistent improvement in agency cybersecurity.”