Twenty-four major federal agencies have not consistently demonstrated that they are effectively responding to cyber incidents categorized as a security breach of a computerized system and information,” according to a new federal audit.
Meanwhile, “The number of cyber incidents reported by federal agencies increased in fiscal year 2013 significantly over the prior 3 years,” reported the Government Accountability Office (GAO) audit report.
GAO said, “An effective response to a cyber incident is essential to minimize any damage that might be caused,” and emphasized that the Department of Homeland Security (DHS) and United States Computer Emergency Readiness Team [US-CERT] “have a role in helping agencies detect, report and respond to cyber incidents.”
“Based on a statistical sample of cyber incidents reported in fiscal year 2012,” GAO said that it “projects that these agencies did not completely document actions taken in response to detected incidents in about 65 percent of cases (with 95 percent confidence that the estimate falls between 58 and 72 percent).”
“For example,” GAO reported, “agencies identified the scope of an incident in the majority of cases, but frequently did not demonstrate that they had determined the impact of an incident. In addition, agencies did not consistently demonstrate how they had handled other key activities, such as whether preventive actions to prevent the reoccurrence of an incident were taken.”
Of the 6 selected agencies that GAO reviewed in depth, all had developed parts of policies, plans and procedures to guide their incident response activities, but that “their efforts were not comprehensive or fully consistent with federal requirements,” GAO said.
GAO said that while the Office of Management and Budget (OMB) and DHS conduct CyberStat reviews, which are intended to help federal agencies improve their information security posture … the reviews have not addressed agencies’ cyber incident response practices.”
And “Without complete policies, plans and procedures, along with appropriate oversight of response activities, agencies face reduced assurance that they can effectively respond to cyber incidents,” GAO said in its report to Congress.
GAO said officials from the24 agencies surveyed said they were generally satisfied with the assistance provided by DHS and US-CERT, which offer services that assist agencies in preparing to handle cyber incidents, maintain awareness of the current threat environment and deal with ongoing incidents. GAO said officials made suggestions to make the services more useful, such as improving reporting requirements.
“Although US-CERT receives feedback from agencies to improve its services,” GAO said, “it has not yet developed performance measures for evaluating the effectiveness of the assistance it provides to agencies.”
“Without results-oriented performance measures, US-CERT will face challenges in ensuring it is effectively assisting federal agencies with preparing for and responding to cyber incidents,” GAO concluded.
GAO recommended that both OMB and DHS to address incident response practices governmentwide, “particularly in CyberStat meetings with agencies; to the heads of six agencies to strengthen their incident response policies, plans and procedures; and to DHS to establish measures of effectiveness for the assistance US-CERT provides to agencies.”
The agencies generally concurred with GAO’s recommendations.