Request a call

Current Situation with US Federal Agencies Untenable: Cybersecurity Report by OMB

Last updated on June 7, 2018 by Dotsquares

Considering the ongoing buzz around cybersecurity and the recent warning against state-sponsored attacks, you would assume the federal agencies in the US to be on their best guard. However, a recent report published by The Office of Management and Budget (OMB) and the Department of Homeland Security (DHS) has clarified the unexpected truth.

In fact, according to the report, the circumstances aredirer than we thought. OMB had declared that around 74 % percent of the total 96 agencies to be either ‘at risk’ (59 agencies have significant gaps in security policies and tools) or ‘high-risk’ (Fundamental security policies are non-existent or not yet deployed in 12 agencies) and the overall situation is described as ‘untenable’.

Important Findings and the suggested solutions

Other than the aforementioned shocking numbers, the report presents 4 important findings and corresponding correctional measures.

Lack of situational awareness
With the rapid pace at which the technology is advancing, it is rather surprising how unaware the federal agencies are in terms of cybersecurity risks. It is noteworthy that out of the 30,899 cyber attacks that happened in the fiscal year 2016, 11,802 have remained unsolved. The agencies have no clue about the methods of the attacks or the vectors that have made the system susceptible, let alone how to prepare for the potential threats.
The report says that it is, therefore, necessary to establish a well-defined Cyber Threat Framework that will set the priorities, and manage the limited resources these agencies have to deal with in the current high-threat environment, and in a more optimised manner. The implementation of the framework, OMB, DHS, and National Security Agency (NSA) will also provide all the necessary assistance.

No standardised cybersecurity processes and policies
Another surprising finding of the report is that there is absolutely no basic concept of best practices, or any standardised policy to implement and/or upgrade the cybersecurity processes across the entire system. In fact, the lack of vigilance is so disturbing that only 49% of all the agencies have the essential tools or well-defined methods to whitelist software running on their systems. Furthermore is that the complexity of the IT resources that the agencies are using is so overlapping and distinct that the sheer conceptualisation of a standard solution would take enormous efforts. All of this is quite surprising because agencies have already taken steps through acts like FITARA (the Federal Information Technology Acquisition Reform Act) to bring more visibility into the IT acquisition of the agencies to streamline the involved processes back in the year 2016. Nevertheless, the report suggests amendments in the policies to have more standardised solutions that are in tune with the contemporary requirements.

Limited visibility into the networks and no detection tools for data exfiltration
The risk assessment methodology used by the Office has also revealed that nearly 73% of the agencies have limited to no access to the tools, that will render the ideal visibility into their network, with only 40% of the agencies in the possession of the tools to detect encrypted data exfiltration. So in simple words, a significant percentage of the agencies have no means to detect if a large amount of crucial data gets compromised on their network, leaving the entire system vulnerable against high-profile attacks. To mitigate the risk, or at least, to reduce the surface area of susceptibility, DHS’s Continuous Diagnostics and Mitigation program (CDM), will find ways to enable the agencies to have better insights over their networks, along with the implementation of boundary protection, event management, access management, and other Security Operations Center capabilities and processes

No standardised enterprise-scale processes for management of risk and its accountability
The final finding, that can also be termed as the root cause for all the others, is the lack of accountability within the agencies, and consequential lack of standard enterprise-wide processes, to deal with cybersecurity threats. Though under the Executive Order 13800 and Federal Information Security Modernization Act of 2014, the agency heads were taken as the responsible authority for the management of cybersecurity threats and risks. However, the duty for this specific area is often delegated to the CIO and CISOs who do not have enough authority to make organization-wide decisions. So in order to streamline the management process with utmost effectiveness, the Office has stiffened its reporting processes that now would require the agency heads to present quarterly risk assessment reports that will detail the specific agencies’ progress in the implementation of the existing and cybersecurity controls.

Although these findings have made clear the distressing situation around cybersecurity with federal agencies, the corresponding solutions bring a wave of hope that conditions will be better in the future. In any case, it is clear that the Office is quite disappointed in the agencies’ efforts, over managing the cybersecurity methods in such a threat-impeded environment. The report concludes that “Non-defense Federal agencies budgeted less than $51 million on encrypting data at rest in FY 2017, among the lowest of any cybersecurity capability, with 50 percent of this budget coming from two agencies. Compare this to the almost $210 million agencies have budgeted for attaining and renewing authorities to operate for their systems, and it is easy to see government’s priorities must be realigned.

Resources

https://www.whitehouse.gov/wp-content/uploads/2018/05/Cybersecurity-Risk-Determination-Report-FINAL_May-2018-Release.pdf

https://searchsecurity.techtarget.com/news/252442329/Federal-cybersecurity-report-says-nearly-75-of-agencies-at-risk

https://techcrunch.com/2018/05/30/government-investigation-finds-federal-agencies-failing-at-cybersecurity-basics/?guccounter=1