Findings and Recommended Action PlanIn their federal cybersecurity review, OMB and DHS examined the capabilities of 96 civilian agencies across 76 metrics to determine those entities’ ability to identify, detect, respond and, if necessary, recover from cyber incidents. According to the report, “The current situation is untenable.” The report’s findings indicate that 71 of 96 agencies (74%) participating in the process had cybersecurity programs that were either “at risk” or at “high risk.” (The report defines the term “high risk” as “Key, fundamental cybersecurity policies, processes, and tools are either not in place or not deployed sufficiently”; the term “at risk” applies to agencies where “Some essential policies, processes, and tools are in place to mitigate overall cybersecurity risk, but significant gaps remain.” The report continues: “…the risk assessments show that the lack of threat information results in ineffective allocations of agencies' limited cyber resources. This situation creates enterprise-wide gaps in network visibility, IT tool and capability standardization, and common operating procedures, all of which negatively impact federal cybersecurity." The report also indicates that the timeline for the implementation of access management capabilities, boundary protection and event management capabilities is likely to be delayed due to “a series of government-wide and agency-specific implementation challenges.” On a more nuanced level, the report presents four important findings, namely, most agencies’ limited situational awareness, lack of standardized IT capabilities, limited network visibility and lack of accountability for managing risks.
Limited Situational AwarenessOne of the major findings of the report is that the agencies cannot identify the methods and vectors of cyberattacks. Out of 30,899 cyber incidents that produced security breaches, the methods and the vectors of the attacks were not identified in 11,802 cases. Even in cases when they were identified, the agencies did not have information-sharing processes in place to communicate the data about the attacks to other agencies. According to the report, only 59% of agencies reported having such processes.
Lack of Standardized IT CapabilitiesAgencies can facilitate the identification of security vulnerabilities by adopting standardized procedures or technologies. For example, if agencies use the same standards for sending and receiving emails, they will facilitate the identification of phishing emails because a phishing email that does not comply with the common standard can be easily identified. However, this is not the case with federal agencies. The report indicated that many agencies employ fragmented identity, credential and access management (ICAM) processes. For instance, one agency revealed that it maintains a decentralized environment with 23 domains and more than 300 unique user grouping based on geographic location, thus limiting the possibility to manage users’ access to data within the agency effectively.
Limited Network VisibilityThe effective response to cybersecurity incidents depends on agencies’ ability to effectively monitor flows of data processed through their networks and detect cybersecurity incidents. Just 27% of the examined agencies reported that they could detect and investigate unauthorized attempts to access large volumes of data. This means that large volumes of data can be stolen 73% of the other agencies’ computer systems without their knowledge. Even in cases when the agencies detect data breaches, they may not respond adequately, as only 30% of the agencies have predictable, enterprise-wide incident response processes.
Lack of Accountability for Managing RisksThe report found that many agencies’ chief information officers (CIO) and chief information security officers (CISO) often lack the authority to make important organization-wide decisions. This issue is particularly serious in agencies that employ multiple CIOs who are responsible for managing their own budgets. A decision taken by one of those CIOs may not apply to the security infrastructure falling within the scope of other CIOs.
Recommended Action PlansIn response to the aforementioned worrying findings, the Risk Report identifies four core actions that can help address cybersecurity risks across the federal enterprise:
- Increase cybersecurity threat awareness by implementing the Cyber Threat Framework to prioritize efforts and manage cybersecurity risks,
- Standardize IT and cybersecurity capabilities to control costs and improve asset management,
- Consolidate agency Security Operation Centers (SOCs) to improve incident detection and response capabilities, and
- Drive accountability across agencies through improved governance processes, recurring risk assessments and OMB’s engagements with agency leadership.