Cybersecurity: Federal Agencies Made Progress, but Need to Fully Implement Incident Response Requirements
Fast Facts
Federal agencies have made progress in preparing for and responding to cyber threats. For instance, agencies have improved their ability to detect, analyze, and handle incidents like ransomware attacks and data breaches.
However, some agencies have not met the federal requirements for event logging—i.e., ensuring that cybersecurity incidents are tracked and that these tracking logs are appropriately retained and managed.
Information from federal IT logs is invaluable in the detection, investigation, and remediation of cyberthreats. We recommended that federal agencies fully implement requirements to log cybersecurity events, and more.
Highlights
What GAO Found
Federal agencies rely upon the following for cybersecurity incident response:
- tools, such as endpoint detection and response solutions;
- services, such as threat hunting or cyber threat intelligence provided by the Cybersecurity and Infrastructure Security Agency (CISA) and third party firms; and
- resources, such as skilled staff and funding.
The 23 civilian Chief Financial Officers (CFO) Act of 1990 agencies have made progress in cybersecurity incident response preparedness by taking steps to standardize their incident response plans and demonstrating improvement in their capabilities for incident detection, analysis, and handling (see table).
Executive Order 14028 Cybersecurity Incident Response Requirements and Status of Completion, as of August 2023
|
Requirement |
Status |
|---|---|
|
Agencies are to use the Cybersecurity and Infrastructure Security Agency playbook (issued in November 2021) for planning and conducting cybersecurity vulnerability and incident response activities for agency information systems |
Agencies have incorporated or are incorporating the playbook into their plans, and all 23 agencies substantially completed the preparation phase activities. |
|
Agencies are to deploy an endpoint detection and response initiative and work toward ensuring coverage on 80 percent of endpoints |
All 23 agencies have begun to deploy an endpoint detection and response solution, and 16 agencies have reported 80 percent or greater coverage. |
|
Agencies are to assess their event logging maturity against the maturity model in the Office of Management and Budget's M-21-31 memorandum, identify gaps associated with completing each of the requirements, and work toward reaching event logging tier 3 by August 2023 |
Twenty agencies did not reach the maturity level tier 3 by the deadline. |
Source: GAO analysis of agency cybersecurity incident response information. | GAO-24-105658
However, 20 agencies have not met requirements for investigation and remediation (event logging) capabilities. The Office of Management and Budget (OMB) required agencies to reach the advanced (tier 3) level by August 2023. The tier 3 level means that logging requirements at all criticality levels are met. However, as of August 2023, three of the 23 agencies were at tier 3. Of the remaining 20, three were at the basic (tier 1) level and 17 were at the not effective (tier 0) level. Until the agencies implement all event logging requirements, the federal government's ability to fully detect, investigate, and remediate cyber threats will be constrained.
Agencies described three key challenges that hindered their abilities to fully prepare to respond to cybersecurity incidents: (1) lack of staff, (2) event logging technical challenges, and (3) limitations in cyber threat information sharing. Federal entities have ongoing efforts that can assist in addressing these challenges. These efforts include onsite cyber incident response assistance from CISA, event logging workshops and guidance, and enhancements to a cyber threat information sharing platform. In addition, there are long-term efforts planned such as implementation of the National Workforce and Education Strategy and a new threat intelligence platform offering from CISA, targeted to roll out its first phase to federal departments and agencies in fiscal year 2024.
Why GAO Did This Study
Cyber-based attacks on federal systems have become more damaging and disruptive. The Federal Information Security Modernization Act of 2014 (FISMA) requires that agency information security programs include procedures for detecting, reporting, and responding to security incidents. Executive Order (EO) 14028 builds on FISMA and establishes priorities for the federal executive branch to improve efforts to protect against and respond to persistent and malicious cyber campaigns. The EO and OMB and CISA guidance require agencies to address these priorities.
GAO's objectives were to (1) describe the capabilities agencies use to prepare for and respond to cybersecurity incidents, (2) evaluate the extent to which agencies have made progress in preparing for cybersecurity incident response, and (3) describe the challenges agencies face in preparing for incident response and the efforts to address them.
GAO interviewed officials and reviewed documentation from the 24 CFO Act agencies, CISA, and OMB on their capabilities, progress, and challenges in cybersecurity incident response. GAO analyzed questionnaire responses to evaluate agencies' progress in incident response preparation. The Department of Defense was excluded from some analysis because it was not subject to all requirements.
Recommendations
GAO is making 20 recommendations to 19 agencies to, among other things, fully implement event logging requirements. Sixteen agencies agreed with the recommendations and three neither agreed nor disagreed.
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| Cybersecurity and Infrastructure Security Agency | 1. The Director of CISA should ensure that when the agency updates the <i>Federal Government Cybersecurity Incident & Vulnerability Response Playbooks</i> that it provides additional detail to federal agencies on COOP planning and includes the requirement to provide both primary and secondary points of contact to CISA. (Recommendation 1) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Department of Commerce | 2. The Secretary of Commerce should ensure that the agency fully implements all event logging requirements as directed by OMB guidance. (Recommendation 2) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Department of Education | 3. The Secretary of Education should ensure that the agency fully implements all event logging requirements as directed by OMB guidance. (Recommendation 3) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Department of Energy | 4. The Secretary of Energy should ensure that the agency fully implements all event logging requirements as directed by OMB guidance. (Recommendation 4) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Department of Health and Human Services | 5. The Secretary of Health and Human Services should ensure that the agency fully implements all event logging requirements as directed by OMB guidance. (Recommendation 5) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Department of Homeland Security | 6. The Secretary of Homeland Security should ensure that the agency fully implements all event logging requirements as directed by OMB guidance. (Recommendation 6) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Department of Housing and Urban Development | 7. The Secretary of Housing and Urban Development should ensure that the agency fully implements all event logging requirements as directed by OMB guidance. (Recommendation 7) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Department of the Interior | 8. The Secretary of the Interior should ensure that the agency fully implements all event logging requirements as directed by OMB guidance. (Recommendation 8) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Department of Justice | 9. The Attorney General should ensure that the agency fully implements all event logging requirements as directed by OMB guidance. (Recommendation 9) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Department of Labor | 10. The Secretary of Labor should ensure that the agency fully implements all event logging requirements as directed by OMB guidance. (Recommendation 10) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Department of State | 11. The Secretary of State should ensure that the agency fully implements all event logging requirements as directed by OMB guidance. (Recommendation 11) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Department of Transportation | 12. The Secretary of Transportation should ensure that the agency fully implements all event logging requirements as directed by OMB guidance. (Recommendation 12) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Department of the Treasury | 13. The Secretary of the Treasury should ensure that the agency fully implements all event logging requirements as directed by OMB guidance. (Recommendation 13) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Department of Veterans Affairs | 14. The Secretary of Veterans Affairs should ensure that the agency fully implements all event logging requirements as directed by OMB guidance. (Recommendation 14) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Environmental Protection Agency | 15. The Administrator of the Environmental Protection Agency should ensure that the agency fully implements all event logging requirements as directed by OMB guidance. (Recommendation 15) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| General Services Administration | 16. The Administrator of the General Services Administration should ensure that the agency fully implements all event logging requirements as directed by OMB guidance. (Recommendation 16) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| National Aeronautics and Space Administration | 17. The Administrator of the National Aeronautics and Space Administration should ensure that the agency fully implements all event logging requirements as directed by OMB guidance. (Recommendation 17) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Nuclear Regulatory Commission | 18. The Chairman of the Nuclear Regulatory Commission should ensure that the agency fully implements all event logging requirements as directed by OMB guidance. (Recommendation 18) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Office of Personnel Management | 19. The Director of the Office of Personnel Management should ensure that the agency fully implements all event logging requirements as directed by OMB guidance. (Recommendation 19) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Social Security Administration | 20. The Commissioner of the Social Security Administration should ensure that the agency fully implements all event logging requirements as directed OMB guidance. (Recommendation 20) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|