Federal agencies rely on a triad of elements for cybersecurity incident response: tools, encompassing endpoint detection and response solutions; services, including threat hunting and cyber threat intelligence from the Cybersecurity and Infrastructure Security Agency (CISA) and third-party firms; and resources, comprising skilled staff and funding. Notably, the 23 civilian Chief Financial Officers (CFO) Act agencies, since 1990, have advanced in cybersecurity incident response preparedness by standardizing their incident response plans and enhancing capabilities in detection, analysis, and handling.
However, 20 agencies face challenges in meeting requirements for investigation and remediation capabilities, specifically event logging. The Office of Management and Budget (OMB) mandated agencies to attain the advanced (tier 3) level by August 2023, signifying compliance across all criticality levels. Regrettably, as of August 2023, only three agencies achieved tier 3 status, with three at the basic (tier 1) level and 17 at the not effective (tier 0) level. The absence of full event logging implementation hampers the federal government’s ability to detect, investigate, and remediate cyber threats comprehensively.
Agencies cite three primary challenges impeding their readiness for cybersecurity incidents: staffing shortages, technical challenges in event logging, and limitations in cyber threat information sharing. Ongoing efforts, such as CISA’s onsite cyber incident response assistance, event logging workshops, and improved cyber threat information sharing, aim to mitigate these challenges. Additionally, long-term plans, including the National Workforce and Education Strategy and a new threat intelligence platform from CISA, set to roll out in fiscal year 2024, are expected to enhance federal cybersecurity resilience.
The surge in damaging cyber-based attacks on federal systems underscores the criticality of addressing these challenges. Mandates from the Federal Information Security Modernization Act of 2014 and Executive Order 14028, coupled with OMB and CISA guidance, necessitate agencies to prioritize efforts to protect against and respond to persistent and malicious cyber campaigns.
The Government Accountability Office (GAO) conducted an evaluation to (1) delineate agencies’ capabilities for preparing and responding to cybersecurity incidents, (2) assess the extent of agencies’ progress in incident response preparation, and (3) outline challenges faced by agencies in incident response preparation and the corresponding mitigation efforts. This analysis involved interviews, document reviews, and questionnaire analyses concerning the 24 CFO Act agencies, CISA, and OMB. Excluding the Department of Defense from certain analyses, GAO’s comprehensive assessment provides valuable insights into the cybersecurity incident response landscape within federal agencies.
Read the rest of the report at GAO, here.
