Twenty US federal agencies have failed to meet the deadline to implement cyber threat incident response capabilities required by law, according to the US Government Accountability Office (GAO). A new GAO report published this week found that, as of August this year, only three out of 23 agencies had met the required event logging standards as stipulated by the 2021 Executive Order 14028, Cybersecurity Incident Response Requirements and Status of Completion. Under this order, the US Office of Management and Budget (OMB) requires all US federal agencies to reach “tier three” to show that cyber security incidents are tracked and tracking logs are appropriately retained and managed at all criticality levels.
Despite most agencies making progress in their incident preparedness such as taking steps to standardize response plans and demonstrating improvement in capabilities for incident detection, analysis, and handling, just three have reached the advanced tier three level, the GOA said. Of the remaining 20, three were at the basic (tier one) level and 17 were at the not effective (tier zero) level. “Until the agencies implement all event logging requirements, the federal government's ability to fully detect, investigate, and remediate cyber threats will be constrained,” the report read. Agencies that have failed to reach tier three include the Departments of Commerce, State and Justice.
US federal agencies report multiple cyber security incident response challenges
The report examined the resources federal agencies rely upon for cyber security incident response. These are:
- Tools such as endpoint detection and response solutions.
- Services such as threat hunting or cyber threat intelligence provided by the Cybersecurity and Infrastructure Security Agency (CISA) and third party firms.
- Skilled staff and funding.
Agencies described three key challenges that hindered their abilities to fully prepare to respond to cyber security incidents: (1) lack of staff, (2) event logging technical challenges and (3) limitations in cyber threat information sharing. “Federal entities have ongoing efforts that can assist in addressing these challenges. These efforts include onsite cyber incident response assistance from CISA, event logging workshops and guidance and enhancements to a cyber threat information sharing platform.”
In addition, there are long-term efforts planned such as implementation of the National Workforce and Education Strategy and a new threat intelligence platform offering from CISA, targeted to roll out its first phase to federal departments and agencies in fiscal year 2024, the report read.
Discover more about CISO strategies and tactics used in incident response and how the mindset of incident response has evolved