GAO warns some federal agencies fail to meet requirements for cybersecurity incident response

Over the years, federal agencies worked to improve their abilities to detect, analyze and handle cybersecurity incidents, according to the U.S. Government Accountability Office (GAO), but some have failed to meet requirements surrounding the tracking of incidents. 

Responses to ransomware attacks and data breaches have reportedly improved, but without a record of IT logs, GAO noted that the detection, investigation and remediation of cyberthreats is weakened. Agencies are standardizing incident response plans and showing improvement in capabilities across the board, with all 23 agencies now deploying endpoint detection and response solutions, and 16 separate agencies reporting 80 percent or greater coverage therein. 

However, that came with a caveat: 20 agencies failed to meet requirements for investigation and remediation capabilities, despite a requirement from the Office of Management and Budget (OMB) to reach the advanced (tier 3) level by August 2023. Tier 3, in this instance, means that logging requirements should have been met at all criticality levels. Worse, only three of those who failed even reached basic tier 1 level, while the remaining 17 sat at an ineffective tier 0 level, jeopardizing the federal government’s efforts to fully detect, investigate and remediate threats.

Agencies generally described three difficulties that prevented their ability to fully respond to cybersecurity incidents : lack of staff, technical challenges, and limitations in cyber threat information sharing. 

The federal government recognizes, however, that cyber-based attacks on its systems are becoming more damaging and disruptive year after year. GAO stepped in to describe the capabilities agencies used to prepare for and respond to these threats, evaluate progress made in preparing for them and to describe the challenges agencies face in preparing for and addressing incidents. In all, it ended up with 20 recommendations for 19 agencies on how best to implement event logging requirements and other items. 

Many of these recommendations consisted of putting the onus of responsibility on the departments’ respective secretaries, as well as requiring the director of the Cybersecurity and Infrastructure Security Agency (CISA) to ensure it follows up with federal agencies when the agency updates the Federal Government Cybersecurity Incident & Vulnerability Response Playbooks. Most agencies agreed with the recommendations.