Most federal agencies lack a cybersecurity risk management program, and leaders say a workforce shortage is the biggest hurdle to developing one.
The Government Accountability Office compared the policies of the 23 civilian Chief Financial Officers Act agencies with risk-based cybersecurity practices and found only seven had a cybersecurity risk management strategy in place.
The departments of Commerce, Labor, and State, as well as the U.S. Agency for International Development, General Services Administration, Office of Personnel Management and Social Security Administration all had strategies assessing the cyber risk of operations, assets, individuals, organizations, and the nation. Sixteen other agencies did not.
“Without ensuring that their policies include all key risk management activities, the agencies may not be taking the foundational steps needed to effectively identify and prioritize activities to mitigate cybersecurity risks that could result in the loss of sensitive data or compromise of agency systems,” reads the GAO report.
All 23 agencies cited challenges hiring and retaining key cyber management personnel as the biggest barrier to establishing a program, followed by operational conflicts, and then inconsistent policies and procedures.
When it came to appointing a cyber risk executive, all but one agency, GSA, reported having a chief information officer, chief information security officer or other entity providing agency-wide oversight. GSA said that role was shared by multiple officials, but GAO was not convinced.
“[W]ithout clearly defining and documenting the responsibility for the risk executive function, the agency may lack consistent implementation and oversight of cybersecurity risk management activities and an effective agency-wide view for managing risk,” reads the report.
Additionally 17 agencies were found to lack policies for assessing cyber risks using scorecards or dashboards, with some reporting they still needed to acquire tools for aggregating system-level data.
And 13 agencies failed to coordinate between cyber and enterprise-wide risk management (ERM) programs via a council or reporting briefings. Some even lacked an ERM governance structure altogether, according to the report.
GAO recommended agencies remedy those deficiencies and directed the Office of Management and Budget and the Department of Homeland Security to provide additional guidance and assistance mitigating barriers.
President Trump’s May 2017 executive order on strengthening cybersecurity called for initiatives addressing some of the challenges to risk management: hiring and retention, standardizing capabilities, receiving quality risk data, and using guidance.
A total of 17 agencies agreed with GAO’s recommendations, three took no position, and two along with OMB did not comment. The Department of Health and Human Services argued its information security and privacy policy already addresses security and privacy controls.
“However, while these policy statements require adherence to [National Institute of Standards and Technology] and OMB standards for selecting security controls and require a rationale for tailoring decisions, they do not specifically require the use of risk assessments to inform the tailoring of security controls,” reads GAO’s report.