US agencies fall short on cyber risk management, GAO report finds

By on 20/02/2022 | Updated on 20/02/2022
Pad lock symbol with bright green code backdrop

Several US federal agencies tasked with measuring and assessing cybersecurity standards have neglected duties in this area, a report recently published by the Government Accountability Office (GAO) said.

The report follows a 2013 presidential directive that passed into law in last year’s US defense policy bill, handing responsibility for cyber risk management to nine agencies across 16 critical infrastructure sectors. Those agencies include the departments of Agriculture, Defense, Energy, Health and Human Services, Transportation, Treasury and Homeland Security, as well as the Environmental Protection Agency, and the General Services Administration.

Yet, of the 16 critical infrastructure sectors the departments were meant to assess for the adoption of cybersecurity standards, 13 where found to consist of incomplete checks, as reported by Government Executive.

Specifically, GAO said agencies had failed to confirm sectors’ compliance with a framework known as the National Institute for Standards and Technology’s Framework for Improving Critical Infrastructure Cybersecurity (NIST). Agencies for nine of the sectors were found not to have taken steps to determine this framework adoption. These sectors included chemical emergency services, healthcare and public health, financial services, commercial facilities, communications, nuclear reactor, materials and waste.

The report took note of the perspective of some of the agencies as to why these duties went unfulfilled.

“Officials from [US Department of Health and Human Services] stated that other priorities, such as the COVID-19 response and managing response planning and recovery from an increase in ransomware attacks, have stretched resources thin and shifted the focus away from determining adoption of the framework,” the report said.

Some agencies fared better than others. For example, the Department of Energy had made a start of tracking requests for sector-based cybersecurity toolkits. Despite this however, most agencies did not succeed in tracking and assessing levels of implementation.

Juggling priorities

GAO clarified that the purpose of its report was to respond to the increasing threat of cyber attacks “like the May 2021 ransomware cyberattack on an American oil pipeline system that led to regional gas shortages”, adding that such events represent “a significant national security challenge”.

It said NIST was launched “to better protect against cyber threats”, providing a programme with core security functions and technical safeguards to manage risks of vulnerabilities and intrusions. 

Implementation of the NIST standards is voluntary however, which the report cited as another reason some agencies said their assessments fell in priority. Other difficulties they faced included “developing precise measurements of improvement” when measuring adoption.

The report offered recommendations, including that agencies work to “develop metrics to assess the effectiveness of its framework promotion efforts”. It said the Department of Homeland Security (DHS) agreed with the recommendation, and had started taking steps to implement it.

Commenting on the measures already taken to improve the rate of assessment, GAO said NIST launched an information security measurement programme in 2020, while the DHS had set up an information network allowing sectors to “share best practices”.

GAO also said it had made efforts to encourage agencies to develop methods for determining the level of framework adoption and reporting sector-wide improvements. However, it added: “most agencies have not yet implemented these recommendations”.

“Implementing GAO’s prior recommendations on framework adoption and improvements are key factors that can lead to sectors pursuing further protection against cybersecurity threats,” it said.

About Jack Aldane

Jack is a British journalist, cartoonist and podcaster. He graduated from Heythrop College London in 2009 with a BA in philosophy, before living and working in China for three years as a freelance reporter. After training in financial journalism at City University from 2013 to 2014, Jack worked at Bloomberg and Thomson Reuters before moving into editing magazines on global trade and development finance. Shortly after editing opinion writing for UnHerd, he joined the independent think tank ResPublica, where he led a media campaign to change the health and safety requirements around asbestos in UK public buildings. As host and producer of The Booking Club podcast – a conversation series featuring prominent authors and commentators at their favourite restaurants – Jack continues to engage today’s most distinguished thinkers on the biggest problems pertaining to ideology and power in the 21st century. He joined Global Government Forum as its Senior Staff Writer and Community Co-ordinator in 2021.

Leave a Reply

Your email address will not be published. Required fields are marked *