Federal Cybersecurity Posture “Untenable,” According to OMB Risk Report

When he issued Executive Order 13800 (EO 13800) on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, President Trump’s goal was to highlight that security and public accountability of government officials are foundational pillars while emphasizing the importance of reducing cybersecurity risks to the Nation. In accordance with the Executive Order, effective cybersecurity requires any organization — whether a private sector company, a non-profit, an academic institution or an agency at the state, local, or Federal level — to identify, prioritize and manage cyber risks across its enterprise.

On May 30, 2018, the Office of Management and Budget (OMB) published the Federal Cybersecurity Risk Determination Report and Action Plan to the President of the United States (Risk Report), which was a requirement under Executive Order 13800. The Risk Report captures OMB’s assessment of cybersecurity risk management capabilities across the federal enterprise and provides recommendations to address the mission-critical cybersecurity gaps.

Findings and Recommended Action Plan

In their federal cybersecurity review, OMB and DHS examined the capabilities of 96 civilian agencies across 76 metrics to determine those entities’ ability to identify, detect, respond and, if necessary, recover from cyber incidents.

According to the report, “The current situation is untenable.” The report’s findings indicate that 71 of 96 agencies (74%) participating in the process had cybersecurity programs that were either “at risk” or at “high risk.” (The report defines the term “high risk” as “Key, fundamental cybersecurity policies, processes, and tools are either not in place or not deployed sufficiently”; the term “at risk” applies to agencies where “Some essential policies, processes, and tools are in place to mitigate overall cybersecurity risk, but significant gaps remain.”

The report continues: “…the risk assessments show that the lack of threat information results in ineffective allocations of agencies’ limited (Read more...)