The President has made it clear that America’s security and public accountability of government officials are foundational pillars for this Administration. One year ago, the President issued Executive Order 13800 (EO 13800) on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, emphasizing the importance of reducing cybersecurity risks to the Nation while providing exceptional service to the public.
Effective cybersecurity requires any organization — whether a private sector company, a non-profit, an academic institution, or an agency at the state, local, or Federal level — to identify, prioritize, and manage cyber risks across its enterprise. Today, the Office of Management and Budget (OMB) is publishing the Federal Cybersecurity Risk Determination Report and Action Plan to the President of the United States (Risk Report), which the President required under Executive Order 13800. The Risk Report captures OMB’s assessment of cybersecurity risk management capabilities across the Federal enterprise and provides recommendations to address the most mission critical cybersecurity gaps.
OMB and DHS conducted the most thorough review of Federal cybersecurity to date by examining the capabilities of 96 civilian agencies across 76 metrics to determine agencies’ ability to identify, detect, respond, and if necessary, recover from cyber incidents. Unfortunately OMB found that 71 of 96 agencies (74 percent) participating in the process had cybersecurity programs that were either At Risk or High Risk. This is unacceptable and an aggressive action plan has been developed to address the issues.
OMB and DHS also found that agencies are not equipped to determine how malicious actors seek to gain access to their information systems and data. This overall lack of timely threat information means agencies are spending billions of dollars on security capabilities without fully understanding the dangers their facing in the digital wild. This situation creates enterprise-wide gaps in network visibility, IT tool and capability standardization, and common operating procedures, all of which negatively impact Federal cybersecurity.
The Risk Report identifies four (4) core actions that are necessary to address cybersecurity risks across the Federal enterprise:
- Increase cybersecurity threat awareness among Federal agencies by implementing the Cyber Threat Framework to prioritize efforts and manage cybersecurity risks;
- Standardize IT and cybersecurity capabilities to control costs and improve asset management;
- Consolidate agency Security Operation Centers to improve incident detection and response capabilities; and
- Drive accountability across agencies through improved governance processes, recurring risk assessments, and OMB’s engagements with agency leadership.
OMB and DHS have taken a series of actions to decrease the risk to Federal systems and information since developing this report. In particular, OMB and DHS worked with the interagency community to enhance the FISMA CIO Metrics to focus on capabilities that directly correspond to mitigating threats identified in the Cyber Threat Framework. DHS has also put the Cyber Threat Framework into practice via its .gov Cybersecurity Architecture Review (.govCAR) program, which is based on a tool developed by the National Security Agency for the Department of Defense to map defensive capabilities against intelligence-informed threat vectors. Though still in its early stages, the program has already identified existing gaps against certain adversary activities, allowing the government to remediate shortcomings. Both the enhanced metrics and the .govCAR program will help set the direction for Federal cybersecurity for years to come by focusing on the capabilities agencies should be working toward in the future to protect against active threats.
Additionally, and consistent with the Report to the President on Federal Information Technology Modernization, OMB, in partnership with DHS and the General Services Administration (GSA), is working to finalize a set of requirements for organizations to begin acquiring Security Operations Center as a Service. This will allow agencies currently lacking adequate security to shift to managed security solutions and provide an option to address gaps in their existing defenses much more quickly. Some federated agencies are already consolidating their Security Operations Centers to achieve greater enterprise visibility and increase the standardization of cybersecurity tools and capabilities.
Finally, OMB and DHS have committed to regularly assessing the degree to which agencies are actively managing their cybersecurity risk in support of the Modernize IT Cross Agency Priority Goal in President’s Management Agenda, and providing those assessments to agency heads, and their Deputy Secretaries or equivalent. There is still a great deal of work to be done and OMB will work with agencies to intensify the ongoing focus on improved management of cybersecurity risk. Many of these efforts will be addressed, in part, through upcoming budget processes, which will utilize the Risk Report to drive strategic investment designed to buy down the Federal Government’s overall level of risk.