A new report titled “Federal Cybersecurity Risk Determination Report and Action Plan” has shed some light on the cybersecurity inadequacy of U.S. federal agencies. Please note that:
The Office of Management and Budget (OMB) is publishing this Federal Cybersecurity Risk Determination Report and Action Plan (Risk Report) in accordance with Presidential Executive Order 13800, Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, (Executive Order 13800) and OMB Memorandum M-17-25, Reporting Guidance for Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure.
What Are the Findings on Federal Agency Cybersecurity?
The report has discovered that there is little situational awareness, few standard processes for reporting or managing attacks and almost no agencies appropriately carrying out even basic encryption. According to the OMB, the current situation of cybersecurity is “untenable”. More particularly, as much as three quarters of federal agencies have highly insufficient cybersecurity programs with significant security gaps. Some of the programs are rated as “at risk” while others are “high risk” where fundamental processes are lacking.
The report is focused on four major discoveries all of which reveal troublesome statistics and recommendations. Two of the most significant areas of risk that were identified in agency assessments were the abundance of legacy information technology (IT), which is difficult and expensive to protect, as well as shortages of experienced and capable cybersecurity personnel, the report noted.
The Risk Report recognizes the detrimental impacts that limited personnel resources have on agencies’ ability to manage their cybersecurity risks. It also examines the risks associated with several of the IT modernization challenges, namely decentralized security operations centers (SOCs) and the lack of standardized IT capabilities.
One of the main issues is that federal agencies lack both the understanding and the resources to combat the current threat environment. Why is that? Federal government is cumbersome and can’t keep up with the pace of state-sponsored attacks and the rapid development of technology. Here are some numbers to support these statements: of the 30,899 known successful compromises of federal systems in 2016, 11,802 of them never even had their threat vector identified.
Federal Agencies Lack Standardized Cybersecurity Processes
Among the other big problems that these agencies are facing is that they don’t have standardized cybersecurity processes and IT capabilities, have nearly no knowledge of what is occurring on their networks, and lack the ability to detect data exfiltration.
On top of that, only 27 percent of the agencies even “have the ability to detect and investigate attempts to access large volumes of data.”
Lastly, the agencies have no standardized and enterprise-wide processes for managing cybersecurity risks. In other words, “federal agencies possess neither robust risk management programs nor consistent methods for notifying leadership of cybersecurity risks across the agency”.
For further details, you can read the full report.