Home » Cybersecurity » Governance, Risk & Compliance » Federal Agencies’ Digital Security Programs Need Work, Risk Assessments Reveal

Federal Agencies’ Digital Security Programs Need Work, Risk Assessments Reveal

On 11 May 2017, President Trump issued the Executive Order, Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure. This directive, among other things, identified agency heads as those who are ultimately responsible for managing cybersecurity risk within executive departments.

In service of that purpose, the White House specified in its order that federal agency heads must use the NIST’s Cybersecurity Framework to manage their agency’s digital security risk. It also required agency heads to submit a risk management report to the Department of Homeland Security (DHS) and the Office of Management and Budget (OMB) within 90 days of the Executive Order’s date of issuance.

OMB and DHS received risk management assessments from 96 civilian agencies. Together, the two government bodies evaluated the reports across 76 metrics to measure the agencies’ preparedness for identifying, detecting, responding to and recovering from digital security incidents. They then presented their findings in their joint Federal Cybersecurity Risk Determination Report and Action Plan to the President of the United States (Risk Report), which they published on 30 May 2018.

Overall, OMB and DHS found that federal agencies’ digital security programs need work. Of the 96 agencies that submitted reports, just 25 of them were adequately managing risk across the enterprise. The remaining 71 agencies (or 74 percent of participants) had digital security programs that were either at risk or at high risk, meaning they were ill-equipped to investigate how threat actors could access their information and to make wise digital security investments.

The Risk Report tied this evaluation to four main findings. These were as follows:

Finding One: Limited Situational Awareness

First and foremost, OMB and DHS observed in their review that agencies possess limited situational awareness of the threats in their environments. They found that those charged with defending agency networks don’t have (Read more...)