GAO audit reveals federal agencies’ struggle to fully implement cybersecurity incident response requirements

The U.S. Government Accountability Office (GAO) has identified that federal agencies have made some progress in implementing incident response requirements, but there is a need for full implementation. Out of the 23 civilian Chief Financial Officers (CFO) Act of 1990 agencies, 20 agencies have not met requirements for investigation and remediation (event logging) capabilities. Until the agencies implement all event logging requirements, the federal government’s ability to fully detect, investigate, and remediate cyber threats will be constrained.

However, the Office of Management and Budget (OMB) required agencies to reach the advanced (tier 3) level by August this year. The tier 3 level means that logging requirements at all criticality levels are met. However, as of August, three of the 23 agencies were at tier 3. Of the remaining 20, three were at the basic (tier 1) level and 17 were at the not effective (tier 0) level. 

The report highlighted that federal agencies depend on the following for cybersecurity incident response: 

• Endpoint detection and response solutions 
• Services provided by the Cybersecurity and Infrastructure Security Agency (CISA) and third-party firms, including threat hunting and cyber threat intelligence 
• Resources like skilled staff and funding

GAO interviewed officials and reviewed documentation from the 24 CFO Act agencies, CISA, and OMB on their capabilities, progress, and challenges in cybersecurity incident response. GAO analyzed questionnaire responses to evaluate agencies’ progress in incident response preparation. The Department of Defense (DoD) was excluded from some analyses because it was not subject to all requirements.

The watchdog’s objectives were to describe the capabilities federal agencies rely upon to prepare for and respond to cybersecurity incidents, and evaluate the extent to which federal agencies have made progress in preparing for cybersecurity incident response activities since the issuance of Executive Order 14028. It also sought to describe the challenges federal agencies face in preparing for cybersecurity incident response and what federal efforts, if any, can assist agencies with these challenges.

The audit comes in the backdrop of a series of high-profile cyber incidents, such as SolarWinds and the Colonial Pipeline attacks, which demonstrated the need to move with urgency to take actions that would improve the security of U.S. government IT systems and strengthen the federal role in protecting critical infrastructure. Further, a May 2021 executive order marked a renewed commitment to cybersecurity and specifically prioritized incident response, including making the prevention, detection, assessment, and remediation of cyber incidents a top priority.

In the performance audit from January 2022 to December 2023 following generally accepted government auditing standards, GAO said that the agencies described three key challenges that hindered their abilities to fully prepare to respond to cybersecurity incidents. These include a lack of staff, event logging technical challenges, and limitations in cyber threat information sharing. 

“Federal entities have ongoing efforts that can assist in addressing these challenges,” GAO said in its report. “These efforts include onsite cyber incident response assistance from CISA, event logging workshops and guidance, and enhancements to a cyber threat information sharing platform. In addition, there are long-term efforts planned such as implementation of the National Workforce and Education Strategy and a new threat intelligence platform offering from CISA, targeted to roll out its first phase to federal departments and agencies in fiscal year 2024.”

The reports detailed that agencies rely upon tools, services, and resources for cybersecurity incident response. Specifically, they depend on tools, such as endpoint detection and response (EDR) solutions and the Continuous Diagnostics and Mitigation (CDM) program; services, such as threat hunting or cyber threat intelligence provided by CISA and third-party firms; and resources, such as skilled staff and funding.

In addition to these individual tools, the CDM program provides cybersecurity tools, integration services, and dashboards to participating agencies to help them improve their respective security postures by delivering better visibility and awareness of their networks and defending against cyber adversaries. 

The program intends to reduce threats and improve federal cybersecurity response through four capability areas including asset management, identity and access management, network security management, and data protection management. 

Under the CDM program, DHS centrally oversees the procurement and installation of diagnostic sensors and dashboards deployed to each participating agency. Agency-level dashboards provide situational awareness to agency officials, enabling them to quickly identify which network problems to fix and empower technical managers to prioritize and mitigate risks on their respective networks. The respective agency dashboards report summary data to a federal dashboard, managed by CISA, and are intended to provide a comprehensive summary for situational awareness across the federal government. 

While GAO acknowledged in its report that agencies have made progress in certain incident response areas, they have not yet met the event logging requirements. The executive order and implementing guidance call for agencies to standardize incident response procedures, improve detection of vulnerabilities and incidents on federal networks, and improve federal investigative and remediation capabilities (event logging). 

Federal agencies have made progress by taking steps to standardize their incident response plans and demonstrating improvement in their processes and capabilities for incident detection. However, many agencies have not met the requirements for investigative and remediation (event logging) capabilities.

GAO also pointed out that agencies are challenged in fully preparing to respond to cybersecurity incidents, but federal efforts may assist. With identified challenges of lack of staff, technical challenges in event logging, and limitations in cyber threat information sharing, federal entities have initiated efforts that can assist in overcoming these challenges.

These efforts include onsite cyber incident response assistance from CISA, event logging workshops and guidance, and enhancements to a cyber threat information sharing platform. In addition, there are long-term efforts planned, such as the implementation of the National Workforce and Education Strategy and a new threat intelligence platform offering from CISA, targeted to roll out its first phase to federal departments and agencies in fiscal year 2024.

GAO made 20 recommendations for executive action to 19 agencies to, among other things, fully implement event logging requirements. Sixteen agencies agreed with the recommendations, and three neither agreed nor disagreed.

Among the recommendations, GAO proposed that the CISA director should ensure that when the agency updates the Federal Government Cybersecurity Incident and Vulnerability Response Playbooks it provides additional detail to federal agencies on COOP planning and includes the requirement to provide both primary and secondary points of contact to CISA.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.