On 11 May 2017, President Trump issued the Executive Order, Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure
. This directive, among other things, identified agency heads as those who are ultimately responsible for managing cybersecurity risk within executive departments.
In service of that purpose, the White House specified in its order that federal agency heads must use the NIST's Cybersecurity Framework
to manage their agency's digital security risk. It also required agency heads to submit a risk management report to the Department of Homeland Security (DHS) and the Office of Management and Budget (OMB) within 90 days of the Executive Order's date of issuance.
OMB and DHS received risk management assessments from 96 civilian agencies. Together, the two government bodies evaluated the reports across 76 metrics to measure the agencies' preparedness for identifying, detecting, responding to and recovering from digital security incidents. They then presented their findings in their joint Federal Cybersecurity Risk Determination Report and Action Plan to the President of the United States
(Risk Report), which they published on 30 May 2018.
Overall, OMB and DHS found that federal agencies' digital security programs need work. Of the 96 agencies that submitted reports, just 25 of them were adequately managing risk across the enterprise. The remaining 71 agencies (or 74 percent of participants) had digital security programs that were either at risk or at high risk, meaning they were ill-equipped to investigate how threat actors could access their information and to make wise digital security investments.
The Risk Report tied this evaluation to four main findings. These were as follows:
Finding One: Limited Situational Awareness
First and foremost, OMB and DHS observed in their review that agencies possess limited situational awareness of the threats in their environments. They found that those charged with defending agency networks don't have information on threat actors' techniques, tactics and patterns. These shortcomings, along with a lack of resources, prevented agencies from adequately protecting their networks. Agencies that participated in the review failed to identify the attack vector in 38 percent of incidents that compromised information systems over the course of FY 2016. Even if they had this type of intelligence, just over half (59 percent) of agencies had the necessary processes in place to communicate risk across the entire enterprise.
OMB and DHS proposed addressing these problems by providing situational awareness to federal agencies and improving existing frameworks across the government. Specifically, they announced they would help agencies use the Cyber Threat Framework
to create mitigation coverage maps. At the same time, the two government bodies said they would distribute a budgeting model tying agencies cybersecurity spending to FISMA
metrics in order to improve resource allocations.
Finding Two: Lack of Standardized IT Capabilities
Another problem uncovered by OMB and DHS was the fact that agencies lack standardized security processes and IT capabilities. This issue prevents agencies from using a simple solution to reduce their attack surface and from having the necessary visibility to combat threats. Consider the following statistics:
- Federal agencies enforce Personal Identity Verification cards among 93 percent of privileged users but still haven't matured their access management capabilities.
- Only a half of federal agencies have processes in place that can restrict users' access to information.
- Under half (49 percent) of federal agencies have the ability to whitelist software running on their systems. Many departments have multiple versions of the same software or solutions with overlapping functionality installed on their systems.
For OMB and DHS, the answer to these challenges involves helping agencies adopt a centralized solution that's responsible for managing access controls. The two entities also suggest consolidating agencies' email systems in order to protect users against phishing
attacks and to help agencies move to standard software versions or configurations.
Finding Three: Limited Network Visibility
The third finding of DHS and OMB's review was agencies' limited network visibility including their ability to detect data exfiltration. Just 40 percent of agencies analyzed in the Risk Report could detect instances of encrypted data exfiltration; even fewer than that (27 percent) could detect exfiltration of large amounts of data. On the other side of the equation, agencies oftentimes didn't bother to learn from confirmed digital security incidents. Just 17 percent analyzed incident response data following an event, while only 52 percent of organizations validated incident response roles during testing.
The Risk Report observes that agencies need better information on what's going on in their networks. Towards that end, OMB and DHS recommend providing threat intelligence to agencies, helping them consolidate their Security Operations Center (SOC) capabilities and if necessary helping them move to a SOC-as-a-Service provider.
Finding Four: Lack of Accountability for Managing Risks
Finally, OMB and DHS saw that many federal agencies lack standardized and enterprise-wide processes for managing cybersecurity risks. Many CIOs and CISOs in these agencies lacked the authority to make sweeping security changes, the government entities found. At the same time, these agencies lacked consistent methods for notifying agency heads of cybersecurity risk.
In response to these challenges, OMB said it will work across the government to address each agency's management of cybersecurity risk. It will also continue to require regular risk assessments and help guide agencies on investing in cybersecurity.
Compliance for the Future
As OMB and DHS work to improve federal agencies' cybersecurity programs, agency heads need to make sure their departments stay compliant with federal regulations. They also need to stay on top of the latest digital attacks targeting the enterprise. Tripwire can help with both