US federal agencies have made progress in implementing mature incident response plans, but many are still steps away from fully achieving this goal, a new report from the Government Accountability Office (GAO) shows.
According to GAO’s report, out of 23 federal agencies, only three have implemented full investigation and remediation (event logging) requirements. As of August 2023, 17 of them were at the ‘not effective’ level, while three were meeting the basic level.
“Until the agencies implement all event logging requirements, the federal government’s ability to fully detect, investigate, and remediate cyber threats will be constrained,” GAO notes.
The event logging requirements, GAO explains, ensure that federal agencies can track cybersecurity incidents and that they can appropriately retain and manage the tracking logs.
Impacted agencies, GAO reveals, include the Departments of Commerce, Education, Energy, Health and Human Services, Homeland Security, Housing and Urban Development, Justice, Labor, State, Transportation, Treasury, and Veterans Affairs, as well as NASA, Environmental Protection Agency, General Services Administration, Nuclear Regulatory Commission, Office of Personnel Management, and Social Security Administration.
GAO’s investigation into the 23 federal agencies’ incident investigation and remediation preparedness shows that they use endpoint detection and similar software, services provided by the US cybersecurity agency CISA and third-parties, and internal resources, and that they have taken steps to standardize their incident response plans.
As of August 2023, all agencies have incorporated or are incorporating CISA’s playbook for vulnerability and incident response for agency information systems, and all have started deploying software tools for incident response, but only three have reached event logging maturity, in line with the Office of Management and Budget’s (OMB) M-21-31 memorandum.
The federal agencies were supposed to reach the maturity level by August 2023, but lack of staff, technical challenges, and limitations in threat information sharing were cited as the main causes for falling behind, GAO says.
“Federal entities have ongoing efforts that can assist in addressing these challenges. These efforts include onsite cyber incident response assistance from CISA, event logging workshops and guidance, and enhancements to a cyber threat information sharing platform,” the watchdog notes.
GAO has made 20 recommendations to 19 agencies to fully implement logging requirements. Sixteen agencies have agreed with the recommendations, while three neither agreed nor disagreed.