The US Government Accountability Office released a report on the progress of federal agencies in meeting cybersecurity incident response requirements. Even though most are making efforts to meet the requirements, only a few departments reached advanced event logging levels.
2023 has been an important year for federal cyber incident reporting, with the Cybersecurity and Infrastructure Security Agency (CISA) working on a notice of proposed rulemaking for the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) and the U.S. Securities and Exchange Commission (SEC) releasing their own disclosure policy on cyber incidents. Wrapping the year up, the US Government Accountability Office (GAO) released a December report on the progress of federal agencies to meet cybersecurity incident response requirements.
All 23 civilian agencies (including the Department of Education, the Environmental Protection Agency and more) assessed by the GAO demonstrated noticeable progress in their completion of the incident response preparation activities - effectively standardizing incident response plans and improving their means of detecting cyber incidents. However, a large majority of the agencies did not meet the full requirements. Only three of the total, the Department of Agriculture, the National Science Foundation (NSF), and the Small Business Administration (SBA) actually made ‘the nice list’ by reaching the advanced level of event logging requirements.
The primary 'naughty list' tendencies among the agencies were:
- Lack of Staffing: Sixteen out of 24 agencies reported a need for additional staff or positions to carry out incident response activities. This includes the need for intelligence, threat, or forensic analysts, as well as hunt teams. Some agencies also mentioned having unfilled positions within their security operations centers.
- Technical Challenges in Event Logging: Twelve agencies stated that gaps in technology or complexities with existing technical environments, such as legacy systems, proved challenging in meeting the event logging requirements. Additionally, 17 agencies cited the need for increased storage capacity to meet event logging requirements.
- Limitations in Cyber Threat Information Sharing: Thirteen agencies reported challenges with the quality or timeliness of the data being shared. They receive a large volume of cyber threat intelligence from various sources, including redundant information, which can hinder their ability to quickly utilize the potential threat information and take action.
The GAO made several recommendations on event logging requirements to the head of federal agencies so that all 23 departments can be up to speed, which most agencies agreed to implement. While there's some way to go before these departments are fully compliant, the fact that they acknowledge and are willing to work towards overcoming these challenges, gives hope for a more secure digital future for our federal agencies. So here’s to fewer lumps of coal in governmental stockings and moving more agencies to the 'nice list' next year!