The US Government Accountability Office released a report on the progress of federal agencies in meeting cybersecurity incident response requirements. Even though most are making efforts to meet the requirements, only a few departments reached advanced event logging levels.
2023 has been an important year for federal cyber incident reporting, with the Cybersecurity and Infrastructure Security Agency (CISA) working on a notice of proposed rulemaking for the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) and the U.S. Securities and Exchange Commission (SEC) releasing their own disclosure policy on cyber incidents. Wrapping the year up, the US Government Accountability Office (GAO) released a December report on the progress of federal agencies to meet cybersecurity incident response requirements.
All 23 civilian agencies (including the Department of Education, the Environmental Protection Agency and more) assessed by the GAO demonstrated noticeable progress in their completion of the incident response preparation activities - effectively standardizing incident response plans and improving their means of detecting cyber incidents. However, a large majority of the agencies did not meet the full requirements. Only three of the total, the Department of Agriculture, the National Science Foundation (NSF), and the Small Business Administration (SBA) actually made ‘the nice list’ by reaching the advanced level of event logging requirements.
The primary 'naughty list' tendencies among the agencies were:
The GAO made several recommendations on event logging requirements to the head of federal agencies so that all 23 departments can be up to speed, which most agencies agreed to implement. While there's some way to go before these departments are fully compliant, the fact that they acknowledge and are willing to work towards overcoming these challenges, gives hope for a more secure digital future for our federal agencies. So here’s to fewer lumps of coal in governmental stockings and moving more agencies to the 'nice list' next year!