The United State's Office of Management and Budget (OMB) oversees the implementation of the president’s objectives in the areas of policy, budget, management and regulation. To that end, the recent government-wide cybersecurity risk assessment, carried out by the OMB, in coordination with the Department of Homeland Security (DHS), highlights several serious issues that continue to imperil federal cybersecurity and ultimately put the nation at risk.
The risk report examined federal agencies’ ability to, “identify, detect, respond, and if necessary, recover from cyber intrusions, in accordance with Executive Order 13800. The actions discussed in this report aim to improve government-wide governance processes and implement cybersecurity capabilities 'commensurate with risk and magnitude of the harm' that the compromise of a Federal information system and information would entail.”
The OMB and DHS found that 71 of 96 agencies have cybersecurity programs that are either at risk or high risk. The OMB and DHS assessed the performance of 96 agencies across 76 metrics and identified the four core actions they deemed necessary to address cybersecurity risks across the Federal enterprise.
Thirty-eight percent of federal cyber incident reports lacked an identified attack vector, which means that in roughly 4 out of 10 cyber incidents, it was not known who the attacker was. And, in terms of bolstering communication of cyber risks, just 59 percent of agencies reported having processes in place to communicate cyberrisks across their enterprises.
The report acknowledged that, "an agency’s ability to mitigate security vulnerabilities is a direct function of its ability to identify those vulnerabilities across the enterprise. Agency risk assessments show that this issue becomes more complex in federated agencies, where there are not standardized procedures or technology across the organization is lacking. The lack of standardization and access to common capabilities means that these agencies cannot apply a single solution to address specific cybersecurity challenges and eventually reduce their overall attack surface."
Phishing was also addressed, as phishing attacks remain one of the most common attack vectors across both government and industry. The report notes that standardizing and consolidating email at the enterprise level is an important element of the strategy to secure users. But, some federal agencies report having several, separately managed email services inside their agencies. One agency listed 62 separately managed email services used by its staff, which would make it virtually impossible to track and inspect inbound and outbound communications across that agency.
In an article in Wired, Chris Wysopal, Chief Technology Officer at CA Veracode, comments on the standardization issues, saying that, "one thing they seem to have kind of punted on is the whole legacy tech modernization issue." Wyposal sees that as, "probably the biggest and most important issue. Agencies are using five different versions of Windows going back 10 years, running multiple versions of things like Java and Flash, and their email is a huge mess. You’re never going to be able to hire enough personnel to manage all that risk without simplifying and standardizing."
A measly 27 percent of agencies reported having the ability to detect and investigate attempts to access large volumes of data. The assessment points out that the current situation is untenable, as agencies lack both the visibility into their networks to determine the occurrence of cybersecurity incidents and the ability to minimize the impact of an incident if one is detected.
With only 16 percent of agencies compliant with the government-wide goal of encrypting data at rest, one of the conclusions arrived at in the report is that there is a lack of accountability for managing risks.
Wired's reaction to this finding:
“Producing the "Risk Determination Report and Action Plan" was a requirement of the Trump administration's May cybersecurity Executive Order, and while passing the EO was a positive step in terms of prioritizing digital defense, progress overall has been mixed. The report also comes at a time when the White House has been sending conflicting messages about its focus on cybersecurity—last month the Trump administration eliminated its top two cybersecurity policy and management leadership roles including one that specifically oversaw federal government cybersecurity.”
In fact, many have voiced concern over the decision to eliminate these roles and have warned that it will lead to a lack of unified focus against cyber threats.
The report concludes by stating that, "at a time when our reliance on technology is becoming greater and the Nation’s digital adversaries are growing more adept, we must ensure that the Federal Government can secure citizens’ information and deliver on their core missions."
Next on the agenda, for the OMB, is taking the necessary actions to "implement the Cybersecurity Threat Framework, standardize IT capabilities and tools, consolidate or migrate SOC operations, and drive accountability for cybersecurity risk management across the enterprise." And, the agency will continue to coordinate with its cross-agency partners, including DHS, NIST and GSA, to ensure that agencies are aware of expectations and available resources. The OMB will also work through the Federal CIO and CISO Councils to ensure that the federal government is moving forward towards improved cybersecurity outcomes.