Nearly three quarters of 96 agencies reviewed by federal officials have cybersecurity programs that are either “at risk” or at “high risk,” meaning “bold approaches” are needed to secure federal networks, according to the Office of Management and Budget.
Risk assessments carried out by OMB show that a lack of threat information available to agencies “results in ineffective allocations” of their limited budgets, the White House-based agency said in a report released last week. “This situation creates enterprise-wide gaps in network visibility, IT tool and capability standardization, and common operating procedures, all of which negatively impact federal cybersecurity.”
In the report, a “high risk” designation means that key cybersecurity policies and tools are either absent or insufficiently deployed, while an “at risk” rating means some key policies are in place to lessen cyber risk, “but significant gaps remain.”
An executive order that President Donald Trump signed last year mandated the governmentwide survey of federal cyber risk and sought to hold agency heads accountable for that risk. According to the new OMB report, there’s a lot of accounting to be done.
While hackers have gotten more advanced, agencies’ understanding of attackers’ methods have not, according to the report. Agencies couldn’t identify the method of attack in over a third of the 30,899 cyber incidents in fiscal 2016 that led to a compromise of information or system functionality, OMB said.
That limited network visibility can have devastating consequences, as the 2015 Office of Personnel Management breach underscored. In that case, hackers sat undetected on the OPM network for months. By the time agency officials realized what was going on, personal data on 22 million current and former federal workers were gone.
That lesson has yet to be consistently heeded, according to OMB, which says just 27 percent of agencies report being able to “detect and investigate attempts to access large volumes of data,” Even fewer agencies tested that capability annually.
To better spot threats to their networks, agencies should consolidate their security operations centers, the report suggests. Many agencies currently don’t have enough fulltime employees who can effectively operate a SOC, while others have multiple SOCs that run on different technology, according to OMB.
Civilian agencies are projected to spend $5.7 billion on cyber defense based on the NIST framework in fiscal 2017, OMB said, compared to $5 billion in fiscal 2016. The scathing report could be fodder for lawmakers who want to see better return on federal IT investments.
The OMB report is part of a concerted effort to clamp down on cybersecurity risk in a federal government that is interconnected in more ways than many realize. The Department of Homeland Security, for example, issued a May 7 binding directive that gave agencies 30 days to submit an updated tally of “high-value assets,” or their most critical IT systems.