GAO Report: Cyber Incident Response at U.S. Federal Agencies Lacking

More than a few federal agencies have some work to do when it comes to incident response, according to a December 4, 2023, report from the U.S. Government Accountability Office (GAO), titled "Cybersecurity: Federal Agencies Made Progress, but Need to Fully Implement Incident Response Requirements." GAO-24-105658 assesses the progress of 23 civilian Chief Financial Officers (CFO) Act agencies in complying with Executive Order 14028's cybersecurity incident response requirements.

Key findings in the GAO report

• Progress made: Agencies have taken steps to standardize their incident response plans and improve their capabilities for detection, analysis, and handling of incidents. All agencies incorporated or are incorporating the Cybersecurity and Infrastructure Security Agency (CISA) playbook into their plans, and most completed the preparation phase activities.

• Gaps remain: However, the report highlights several areas where agencies are lagging:

  • 20 agencies have not met requirements for investigation and analysis. This includes deficiencies in incident scope determination, root cause analysis, and evidence collection.
  • Only 16 agencies have achieved 80% or greater endpoint detection and response coverage. This is crucial for identifying and stopping cyberattacks early.
  • 20 agencies did not reach the maturity level tier 3 for event logging. This limits their ability to track and analyze security events effectively.
    

Consequences for agencies

• Increased vulnerability to cyberattacks: Failure to fully implement the requirements leaves agencies exposed to potential breaches and data loss.

• Potential for reputational damage: High-profile cyberattacks can damage public trust in agencies and their ability to protect sensitive information.

• Financial losses and disruptions: Cyberattacks can result in financial losses from data breaches, operational disruptions, and remediation costs.

Recommendations for agencies

• Address outstanding requirements: Agencies need to prioritize addressing the identified gaps in their incident response capabilities, particularly investigation and analysis, endpoint detection and response coverage, and event logging maturity.

• Strengthen collaboration and information sharing: Agencies should collaborate with CISA and other agencies to share best practices, threat intelligence, and incident response expertise.

• Invest in training and resources: Agencies need to provide ongoing training for their employees on cybersecurity best practices and invest in the necessary tools and technologies to support their incident response efforts.

Overall, GAO-24-105658 serves as a wake-up call for federal agencies. While progress has been made, significant work remains to fully implement the cybersecurity incident response requirements and ensure the protection of critical government systems and data.

The report also includes individual agency breakdowns with specific findings and recommendations.

President Joe Biden issued a May 2021 Executive Order on cybersecurity that required agencies to "establish requirements for logging, log retention and log management, which shall ensure centralized access and visibility for the highest level security operations center of each agency," among other requirements.

[RELATED: 5 Top Themes from Biden's Executive Order on Cybersecurity]