The Government Accountability Office (GAO) is calling on two Federal agencies in charge of overseeing the implementation of President Biden’s 2021 cybersecurity executive order (EO) to fully complete the remaining five requirements tasked to them in the order.
The White House’s May 2021 cyber EO has three key agencies primarily responsible for the implementation of the oversight and leadership requirements: the Cybersecurity and Infrastructure Security Agency (CISA), the National Institute of Standards and Technology (NIST), and the Office of Management and Budget (OMB).
Among its 115 provisions, the EO contains 55 leadership and oversight requirements. The Federal watchdog found that CISA, NIST, and OMB have fully completed 49 of their 55 requirements, and partially completed five of them. One other requirement was deemed no longer applicable.
“Completing these requirements would provide the federal government with greater assurance that its systems and data are adequately protected,” the report says.
GAO identified one partially complete requirement in each of the following categories: removing barriers to sharing threat information; enhancing software supply chain security; establishing a Cyber Safety Review Board; improving detection of cybersecurity vulnerabilities and incidents; and improving the Federal government’s investigative and remediation capabilities.
The 73-page report notes that GAO identified governmentwide leadership and oversight requirements in the EO and the three key agencies required to perform them. GAO then reviewed the agencies’ implementation of those requirements. GAO said it also compared challenges identified in its work and in discussions with Federal CISOs against the content of the EO to determine whether they were addressed.
GAO made two recommendations to CISA and three to OMB to fully implement the EO’s requirements. CISA agreed with recommendations to further define critical software and improve operations of the Cyber Safety Review Board.
GAO recommends that OMB:
- Demonstrate that the office has conducted cost analyses for the implementation of recommendations related to the sharing of threat information;
- Demonstrate that the office has coordinated with pertinent Federal agencies regarding resourcing needs for the implementation of an endpoint detection and response capability; and
- Demonstrate that the office has coordinated with pertinent Federal agencies regarding resourcing needs for logging, log retention, and log management capabilities.
OMB stated it had no comments on GAO’s report.