Just six leadership and oversight requirements included in a 2021 executive order to improve the nation's cybersecurity remain unfinished by the agencies charged with implementing it, according to a new report from the Government Accountability Office. be.
Between the Cybersecurity and Infrastructure Security Agency, the National Institute of Standards and Technology, and the Office of Management and Budget, 49 of the 55 items in President Joe Biden's order aimed at protecting federal IT systems from cyberattacks have been fully completed. Completed. The remaining five were partially completed, and one was deemed “not applicable” due to “timing with other requirements,” according to GAO.
“By meeting these requirements, the federal government can better ensure that its systems and data are adequately protected,” GAO said.
In the section of this order on “Removing Barriers to Threat Information,'' OMB only partially incorporated the required cost analysis into the annual budget process.
“OMB has failed to demonstrate that its communications with relevant federal agencies include a cost analysis of implementing recommendations by CISA related to the sharing of cyber threat information,” GAO said. “Documenting the results of communications between federal agencies and OMB will increase the likelihood that agency budgets are sufficient to implement these recommendations.”
OMB also asked GAO to provide “sufficient resources to implement an approach for deploying endpoint detection and response, an effort to proactively detect cyber incidents within federal infrastructure.” It was not possible to demonstrate that the company had cooperated with various agencies to ensure that the
“OMB staff members have found it impractical for OMB to document the results of all EDR-related communications with agencies due to the large number and distributed nature of the conversations involved. “There may be,” the GAO said.
OMB still has work to do on logging as well. The agency has shared guidance with other government agencies on how best to improve log storage, log management practices, and logging capabilities, but the GAO was not demonstrated.
CISA, on the other hand, fell somewhat short in identifying and providing agencies with a list of “critical software” in use or in the acquisition process. Although OMB and NIST have fully met that requirement, CISA officials told GAO that the agency is “concerned about how the list will be interpreted by government agencies and private industry, and will not validate the categories of software.” “We were planning to review the existing standards necessary for this,” he said. A new version of the category list and an annex with clearer explanations will be published soon, the official added.
CISA also has some work to do regarding its Cyber Safety Review Board. The multi-agency board, which is made up of representatives from the public and private sectors, is facing heat from lawmakers and industry leaders over its lack of authority and independence. According to GAO, CISA has not taken complete steps to implement its recommendations on how to improve the Board's operations.
“CISA officials stated that they have made progress in implementing the Board's recommendations and are planning further steps to improve the Board's operating policies and procedures,” GAO wrote. “However, CISA has not provided evidence that it is implementing these recommendations. If CISA does not implement the Board's recommendations, the Board risks being unable to effectively conduct future case investigations. be.”
But federal agencies check off most of the EO's list. “For example, we developed procedures to improve the sharing of cyber threat information, guidance on security measures for critical software, and a handbook for conducting incident response,” GAO wrote. Additionally, the Office of the National Cyber Director “in its role as the overall coordinator of the order, collaborated with government agencies on specific implementation and tracked implementation of the order.”
GAO issued two recommendations to CISA's parent agency, the Department of Homeland Security, and three recommendations to OMB regarding full implementation of the EO's requirements. OMB did not respond to requests for comment, but DHS agreed with GAO's recommendations to improve the definition of critical software and the operations of the Cyber Security Review Board.
