Most Agencies ‘At Risk’ or ‘High Risk’ of Cyberattacks
According to a newly released report released by the Office of Personnel Management, a risk assessment of federal agencies cyber-preparedness – undertaken following massive data breaches at OPM three years ago – most federal agencies remain either “at risk” or “high risk” of future cyberattacks.
Both “OMB and DHS determined that 71 of 96 agencies” – or 74 percent of agencies – “participating in the risk assessment process have cybersecurity programs” that are either at risk or high risk” and “also found that federal agencies are not equipped to determine how threat actors seek to gain access to their information.”
In the Risk Report, OMB and DHS identified “four core actions that are necessary to address” the risks laid out in the report:
- Increase cybersecurity threat awareness among Federal agencies by implementing the Cyber Threat Framework to prioritize efforts and manage cybersecurity risks
- Standardize IT and cybersecurity capabilities to control costs and improve asset management
- Consolidate agency SOCs to improve incident detection and response capabilities
- Drive accountability across agencies through improved governance processes, recurring risk assessments, and OMB’s engagements with agency leadership.
The release of the report corresponds with a new executive order from the White House, executive order 13800: Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure. The order states that agency heads “will be held accountable by the President for implementing risk management measures commensurate with the risk and magnitude of the harm that would result from unauthorized access, use, disclosure, disruption, modification, or destruction of IT and data.”
The order also calls on agency heads to “use The Framework for Improving Critical Infrastructure Cybersecurity (the Framework) developed by the National Institute of Standards and Technology, or any successor document, to manage the agency’s cybersecurity risk” and states that they “shall provide a risk management report to the Secretary of Homeland Security and the Director of the Office of Management and Budget within 90 days of the date of this order.
Relatedly, this week, the U.S. General Services Administration issued a request for information “on its acquisition vehicle developed specifically for agencies to buy modern cybersecurity services,” according to Billy Mitchell at FedScoop.
Posted in Featured News