Connect with us

Hi, what are you looking for?



GAO: Federal Agencies Yet to Fully Implement Incident Response Capabilities

A new GAO report reveals that 20 out of 23 US federal agencies have not fully implemented incident response plans.

US federal agencies have made progress in implementing mature incident response plans, but many are still steps away from fully achieving this goal, a new report from the Government Accountability Office (GAO) shows.

According to GAO’s report, out of 23 federal agencies, only three have implemented full investigation and remediation (event logging) requirements. As of August 2023, 17 of them were at the ‘not effective’ level, while three were meeting the basic level.

“Until the agencies implement all event logging requirements, the federal government’s ability to fully detect, investigate, and remediate cyber threats will be constrained,” GAO notes.

The event logging requirements, GAO explains, ensure that federal agencies can track cybersecurity incidents and that they can appropriately retain and manage the tracking logs.

Impacted agencies, GAO reveals, include the Departments of Commerce, Education, Energy, Health and Human Services, Homeland Security, Housing and Urban Development, Justice, Labor, State, Transportation, Treasury, and Veterans Affairs, as well as NASA, Environmental Protection Agency, General Services Administration, Nuclear Regulatory Commission, Office of Personnel Management, and Social Security Administration.

GAO’s investigation into the 23 federal agencies’ incident investigation and remediation preparedness shows that they use endpoint detection and similar software, services provided by the US cybersecurity agency CISA and third-parties, and internal resources, and that they have taken steps to standardize their incident response plans.

As of August 2023, all agencies have incorporated or are incorporating CISA’s playbook for vulnerability and incident response for agency information systems, and all have started deploying software tools for incident response, but only three have reached event logging maturity, in line with the Office of Management and Budget’s (OMB) M-21-31 memorandum.

The federal agencies were supposed to reach the maturity level by August 2023, but lack of staff, technical challenges, and limitations in threat information sharing were cited as the main causes for falling behind, GAO says.

Advertisement. Scroll to continue reading.

“Federal entities have ongoing efforts that can assist in addressing these challenges. These efforts include onsite cyber incident response assistance from CISA, event logging workshops and guidance, and enhancements to a cyber threat information sharing platform,” the watchdog notes.

GAO has made 20 recommendations to 19 agencies to fully implement logging requirements. Sixteen agencies have agreed with the recommendations, while three neither agreed nor disagreed.

Related: US Publishes Implementation Plan for National Cybersecurity Strategy

Related: White House Outlines Cybersecurity Budget Priorities for Fiscal 2025

Related: US Agencies Told to Assess IoT/OT Security Risks to Boost Critical Infrastructure Protection

Written By

Ionut Arghire is an international correspondent for SecurityWeek.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Cloud Security

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to and Exchange Online.

Incident Response

Microsoft has rolled out a preview version of Security Copilot, a ChatGPT-powered tool to help organizations automate cybersecurity tasks.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Incident Response

Meta has developed a ten-phase cyber kill chain model that it believes will be more inclusive and more effective than the existing range of...