A newly issued Government Accountability Office (GAO) report highlights gaps in implementing Federal guidance on cybersecurity at major agencies in fiscal year 2017, finding 35,277 cybersecurity incidents.
The report released Tuesday acts as a comprehensive review of cybersecurity challenges identified by GAO and agency inspectors general for fiscal year 2017. The report compares the realities at agencies to the guidelines laid out in the Federal Information Security Modernization Act of 2014 (FISMA), the Federal Cybersecurity Enhancement Act of 2015, and the National Institute of Standards and Technology’s (NIST’s) cybersecurity framework.
In particular, the report highlights the lack during FY 2017 of capabilities to detect and prevent network intrusions, poor findings from agency FISMA reports, and risk management assessments from the Office of Management and Budget (OMB).
The report examines efforts by OMB and the Department of Homeland Security (DHS) to support intrusion detection and prevention capabilities, noting that while both agencies took steps forward, work remained to be done to meet congressional and administration mandates. The report notes limitations for the National Cybersecurity Protection System (NCPS), also known as EINSTEIN, and points to implementation delays in the Continuous Diagnostics and Mitigation (CDM) program. For OMB, the report notes that while the agency was involved in overseeing agency implementation, OMB did not fully address the reporting requirements, and had not developed the full policy needed.
At the agencies, GAO cited FISMA reports from OIGs that find the majority of agencies were rated ‘not effective’ in information security. “Further, in agency financial statement audit reports for fiscal year 2017, inspectors general reported that, despite improvements being made in information security practices, most of the civilian CFO Act agencies continued to exhibit deficiencies in information security controls,” the report adds.
The report also cites OMB’s findings on cybersecurity risk management, pointing to an assessment that found 10 out of 23 agencies were not managing cybersecurity risk for fiscal year 2017. GAO included the failure to meet OMB’s cybersecurity cross-agency priority goals as well, noting that only 6 out of 23 agencies met all the required goals.
In its recommendations to address the FY 2017 gaps, GAO called for DHS to provide more training on NCPS and CDM, and OMB to fulfill reporting requirements. The report also calls for updates to the high-value asset policy and the Trusted Internet Connections (TIC) initiative, both of which have been released this month.
The GAO report contains no information on how and/or whether agencies addressed performance problems in 2018.