Today, the Office of Management and Budgeting (OMB) released The Federal Cybersecurity Risk Determination Report and Action Plan, mandated by cybersecurity executive order 13800. This report illustrates a high-level review of government cybersecurity risks, identifies actions to improve federal cybersecurity, and acknowledges all parties involved must work together to identify how to implement those actions.
In addition to describing the action plan, the report outlines OMB’s evaluation of agency risk management assessment reports. The report found that 71 of 96 agencies (74 percent) participating in the risk assessment process have cybersecurity programs that are either at risk or high risk. To most this is likely not surprising news; however, it’s not all grim. There has been a lot of progress in the last year and just like The IT Modernization Plan, this report is a step in the right direction.
The timing of the report was interesting. I’ve been speaking to a lot of CIO and CISOs at civilian agencies and there seems to be a real internal push in these organizations to be more proactive in addressing cybersecurity issues. This report reiterates the importance of addressing cybersecurity needs across the Federal Government but is vague in addressing the specific requirements necessary to shore up infrastructure.
From working at the Pentagon, I know that a lot of public facing digital assets (i.e. mobile apps and websites) are susceptible to attacks, but they are not specifically called out in the report. Further, phishing, botnets, malware, ransomware, and social engineering techniques are all incredibly relevant to these agencies, yet all left unaddressed. Mobile apps are developed on cross-platform tools and can be susceptible to vulnerabilities while public facing websites that haven’t been updated on a regular basis are not up to a modern software development standards. To truly be proactive, this report should have included specific steps to implement processes and frameworks such as shoring up digital assets including websites and infrastructure.
The last thing to mention is the lack of a White House cybersecurity advisor. Without someone in this position, there is an obvious gap in leadership, however civilian agencies continue to operate without this role, so there is no reason that the federal sector can’t continue to address their specific cybersecurity needs. The CIOs and CISOs at these agencies are working hard to address cybersecurity issues – an advisor won’t change that.