Hacks Bring New Urgency to Moves by Congress and Agencies to Reduce Future Cybersecurity Risks

After two recent high-profile cyber incidents that affected federal IT systems—the SolarWinds and Microsoft  Exchange Server hacks—Congress and federal agencies are moving with renewed urgency to take actions that would improve the security of U.S. government IT systems from cyberattacks. But they have a lot more work to do to make these systems secure.

In today’s WatchBlog post, we look at our latest work on how Congress and federal agencies are addressing risks within the federal IT systems.

Image

What is FISMA and how is it addressing cybersecurity risks?

The Federal Information Security Modernization Act of 2014 (FISMA) requires agencies to develop, document, and implement agency-wide information security programs. Under FISMA, inspectors general (IGs) must report to the Office of Management and Budget annually on the effectiveness of the information security policies, procedures, and practices around cybersecurity of their parent agency.

There are currently several efforts underway in Congress to update FISMA, including legislation introduced in Senate and House.

On January 11, we testified before Congress on GAO’s ongoing work on FISMA. We noted that, in FY 2020, IGs determined that only seven of 23 civilian agencies reviewed had effective agency-wide information security programs. In our testimony, we described our interviews of officials from 24 agencies, conducted for the ongoing FISMA work.  All of them told us that FISMA had enabled them to improve the effectiveness of their information security programs.

But, officials also told us there were, in some cases, impediments to implementing FISMA, such as a lack of resources, and suggested ways to improve the FISMA reporting process. The suggestions included updating FISMA metrics to increase their effectiveness, improving the IG evaluation and rating process, and increasing the use of automation in report data collection.

Federal agencies’ responses include sustained coordination and communication

Last month, we reported on the federal response to the SolarWinds and Microsoft Exchange Server cyberattacks. Part of this response included the formation of two temporary Cyber Unified Coordination Group (UCGs). One of the temporary UCGs worked on responding to the SolarWinds attack, and the other on the Microsoft Exchange breach.

The two UCGs issued directives and guidance to federal agencies, including advisories, alerts, and tools, to aid agencies in conducting their own investigations and securing their networks. In addition, the Cybersecurity and Infrastructure Security Agency (CISA) issued emergency directives to inform federal agencies of the vulnerabilities and describe what actions to take in response to the incidents.

The UCGs were dissolved in April 2021, but CISA, and certain agencies affected by the incidents, are continuing to work together to respond to the SolarWinds incident. Agencies have completed steps to respond to the Microsoft Exchange incident.

In addition, federal agencies have reported to CISA about the actions they took to mitigate the threats introduced by the SolarWinds and Microsoft Exchange Server incidents, as well as information on network activity and each incident’s impact.

Agencies identified multiple lessons they learned from these incidents. For instance:

• coordinating with the private sector led to greater efficiencies in agency incident response efforts;
• providing a centralized forum for interagency and private sector discussions led to improved coordination among agencies and with the private sector;
• sharing of information among agencies was often slow, difficult, and time consuming and;
• collecting evidence was limited due to varying levels of data preservation at agencies.

Want to learn more about federal efforts to detect and prevent cyberattacks? We’ve designated cybersecurity as a High Risk area and have made thousands of recommendations for addressing it. Find out more by visiting our key issue page on cybersecurity.

• Comments on GAO’s WatchBlog? Contact blog@gao.gov.