GAO: Most agencies aren't sticking to the cybersecurity script

A new watchdog audit says that many big agencies aren't managing cybersecurity risk by the book.

According to a Government Accountability Office report, largely based on FISMA audits by agency inspectors general, found that 17 of 23 Chief Financial Officer Act agencies are failing to effectively implement core functions of the cybersecurity framework of the National Institute for Standards and Technology.

Seventeen agencies had "material weaknesses and significant deficiencies" in internal security controls and only 13 were found to be adequately managing enterprise risk, according to the Dec. 18 report.

"Agencies' inspectors general determined that most of the 23 civilian CFO Act agencies did not have effective agency-wide information security programs," auditors wrote. "They also reported that agencies did not have effective information security controls in place, leading to deficiencies in internal control over financial reporting."

The federal government has established a number of enterprise cybersecurity policies over the past five years, such as the Federal Information Security Act, the NIST Cybersecurity Framework, the Federal Cybersecurity Enhancement Act and multiple executive orders issued by Presidents Barack Obama and Donald Trump. However, auditors said these strategies "did not include key elements of desirable characteristics," such as performance metrics and clear roles for federal agencies, to govern resource allocation decisions.

The Trump administration released an updated cyber strategy earlier this year that attempted to address many of these issues.

The Office of Management and Budget has reported more than 30,000 cybersecurity incidents across the federal government for each of the past two years, and IT policymakers have expressed concern that legacy systems continue to pose a significant threat to effective cybersecurity. Meanwhile, individual audits over the past year have uncovered alarming cybersecurity vulnerabilities at the Departments of Defense, Treasury and other agencies.

The report also highlights the largely positive role that the Department of Homeland Security has played in raising baseline cybersecurity standards, from the use of Binding Operational Directives to implementing programs like Continuous Diagnostics and Mitigation and EINSTEIN.

EINSTEIN, is designed to detect and block malicious traffic from entering agency networks, but it still have difficulty monitoring encrypted data or traffic generated by industrial control systems. Additionally, DHS metrics on the program "do not provide information about how well the system is enhancing government information security or the quality, efficiency and accuracy of supporting actions," the report states.

Uneven implementation across the government was also a problem, with only 15 CFO Act agencies using all three of the program's main capabilities, and 13 reported that not all of their traffic flows through EINSTEIN.

GAO advised DHS to engage with OMB and agencies to foster better cooperation on cybersecurity and recommended that OMB submit an intrusion assessment plan to Congress, update analysis of agency detection and prevention capabilities and directed the federal CIO to update reporting to Congress on detection of advanced persistent threats and work with DHS to identify further obstacles and impediments.

OMB didn't supply comments on the report for publication, but told GAO via email that many of existing reporting demonstrates that it is achieving cybersecurity outcomes under FISMA.