GAO Examines Cybersecurity in Federal Agencies
The U.S. Government Accountability Office published a report examining Federal agencies’ cybersecurity risk management programs. GAO conducted the study due to the growing number of cyber threats Federal agencies face to their systems and data. The GAO examined: 1) the extent to which agencies established key elements of a cybersecurity risk management program; 2) what challenges, if any, agencies identified in developing and implementing cybersecurity risk management programs; and 3) steps OMB and DHS have taken to meet their risk management responsibilities and address any challenges agencies face.
The Federal Information Security Management Act (FISMA) was passed in 2002 requiring each agency to develop, document, and implement agency-wide information security programs to both provide risked-based protections and support the operations and assets of the agency. FISMA also assigned government-wide responsibilities to OMB, DHS, and the National Institute of Standards and Technology (NIST).
NIST directed each agency to create the position of cybersecurity risk executive, acting as the member within the agency that ensures that cybersecurity risks are being addressed. NIST stated that agencies should also develop a cybersecurity risk management strategy, which should include: 1) a statement of the agency’s risk tolerance; 2) how it intends to assess risk; 3) acceptable risk response strategies; and 4) how the agency intends to monitor risk over time. While OMB published Circular A-123, directing agencies to implement a capability for enterprise risk management, and further stated that agencies should establish coordination between cybersecurity and enterprise risk management. NIST further identified foundational activities that should be included in policies to help prepare agencies to manage security and privacy risks and found that these activities should be guided by risk-based decisions. GAO found that 22 of the 23 agencies have established the role of cybersecurity executive, and most of the agencies have established policies that include elements to ensure that their activities are guided by risk-based decisions. However, fewer than half of the agencies have developed an agency-wide cybersecurity risk management strategy.
In May 2017, OMB issued guidance to agencies to implement the provisions of Executive Order 13800 on managing cybersecurity risks. The guidance required agencies to use the metrics established for monitoring FISMA implementation to report their cybersecurity risk management capabilities. Using the results from the agencies, OMB and DHS published the Federal Cybersecurity Risk Determination Report and Action Plan in May 2018. OMB and DHS found that 74% of the Federal agencies participating in the assessment were either at risk or high risk. From this, OMB and DHS created some initiatives to help address some, not all, agency-identified challenges.
The first initiatives focused on workforce education, which offer current federal employees who do not work in the IT field to receive hands-on training for 3 months to build the foundational skills associated with cyber defense analysis. Next initiative involved creation of Continuous Diagnostics and Monitoring, whose purpose was to provide federal agencies with the tools and services necessary to automate the network monitoring, correlate and analyze security related information, and enhance risk-based decision making at agency and government-wide levels. Another initiative was the consolidation and maturation of Security Operations Center, which defends federal organizations against unauthorized activity within a network. They also produced a cyber threat framework, which provides for a cybersecurity architecture review that allows an agency to assess its cyber capabilities against its actual threat. Inter-agency cyber-focused working groups is another initiative that uses CyberStat reviews to provide an agency with the proper guidance to implement the NIST framework and cybersecurity risk management practices. Agencies should also manage competing priorities between cybersecurity and operations, and OMB has stated that its risk-based budgeting model could help agencies prioritize their cybersecurity investments.
GAO found three main issues associated with these initiatives, and how these issues make it difficult for agencies to implement. First,many of the initiatives emphasize centralized visibility, authority, and reporting, but fail to address the factors identified by agencies that affect their ability to implement consistent cybersecurity risk management policies and procedures. Second, existing OMB and NIST guidance requires agencies to establish enterprise risk management programs and cybersecurity risk management programs but does not address how these programs should be integrated or coordinated. Lastly, the cyber threat framework does not address the key aspects of risk framing, such as acceptable risk mitigation strategies or establishing an agency-wide statement of risk tolerance.
In concluding the report, GAO reemphasized that given the increasing number of cyber threats, it is critical that agencies are in the position to make consistent and informed risk-based decisions in protecting their systems and information against these threats. GAO states that there needs to be clarified, or updated, guidance, as well as agencies sharing successful practices or lessons learned, which could help agencies fully establish their cybersecurity risk management capacity. This leads to GAO’s recommendation to OMB, in which the Director of OMB should, in coordination with the Secretary of Homeland Security, establish guidance or other means to facilitate the sharing of successful approaches for agencies to address challenges in the areas of: 1) managing competing priorities between cybersecurity and operations; 2) implementing consistent cybersecurity risk management policies and procedures across an agency; 3) incorporating cyber risks into enterprise risk management; and 4) establishing agencies’ cybersecurity risk management strategies.