April 19, 2019

April 18, 2019

Subscribe to Latest Legal News and Analysis

April 17, 2019

Subscribe to Latest Legal News and Analysis

April 16, 2019

Subscribe to Latest Legal News and Analysis

OMB Releases Report on Federal Cybersecurity Risk

This is the first post in a DBR on Data series on Executive Order 13800 and updates on its implementation a year after passage.

The White House Office of Management and Budget (OMB) released in May 2018 its report to the president on federal cybersecurity risk determination. The report, which responds to the President’s May 2017 Executive Order 13800, entitled “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure,” comes as several key reports also required by Executive Order 13800 have been recently released in full or in summary form. The Federal Cybersecurity Risk Determination Report and Action Plan concludes that the recent government-wide cybersecurity risk assessment conducted by the OMB, in collaboration with the Department of Homeland Security (DHS), confirms the need for the U.S. government to take “bold approaches” to improve federal cybersecurity.

Federal Cybersecurity Risk Determination Report and Action Plan

The OMB and the DHS used 76 metrics to examine the cybersecurity capabilities of 96 federal agencies and their ability to “identify, detect, respond, and if necessary, recover” from a cyber incident.  The report found that 74 percent of the federal agencies evaluated were either “At Risk” or “High Risk.” The 12 agencies categorized as “High Risk” lacked fundamental cybersecurity policies, processes, tools, and defenses, whereas the 59 agencies categorized as “At Risk” demonstrated significant vulnerabilities where some key cybersecurity policies, processes, and tools are in place. The 25 agencies deemed as “Managing Risk” instituted cybersecurity policies, procedures, and tools and actively managed their cybersecurity risks. Notably, the report does not identify which agencies were assigned which risk assessment level.

Though the agencies may face a range of issues involving cybersecurity risks, the report found four key areas where agencies struggle, including (i) limited situational awareness, (ii) a lack of standardized IT capabilities, (iii) limited network visibility, and (iv) a lack of accountability for managing risks. It identifies the following four core actions that are necessary to address cybersecurity across the federal enterprise:

  1. Increase cybersecurity threat awareness among federal agencies by implementing the Cyber Threat Framework to prioritize efforts and manage cybersecurity risks.
  2. Standardize IT and cybersecurity capabilities to control costs and improve asset management.

III. Consolidate agency security operation centers (SOCs) to improve incident detection and response capabilities.

  1. Drive accountability across agencies through improved governance processes, recurring risk assessments, and OMB’s engagements with agency leadership.

As part of its ongoing to effort to improve federal cybersecurity risk management, the OMB plans to work with agencies over the coming year to implement the four actions.

The report is the latest in a series of efforts by the OMB and the DHS to address cybersecurity issues among federal agencies. In October 2017, the DHS released its Binding Operational Directive 18-01 requiring federal, executive branch, departments, and agencies to adopt online and email security standards. While in May 2018, the DHS issues its Binding Operational Directive 18-02 mandating federal entities to safeguard high value assets involving federal information and information systems.

Other Executive Order 13800 reports

As DBR on Data previously reported, Executive Order 13800 directs federal departments and agencies to develop reports to identify and mitigate cybersecurity risks, emphasizing areas of concern such as securing and modernizing federal networks, protecting critical infrastructure, deterring adversaries in cyberspace, and building a strong cybersecurity workforce. The reports and summaries submitted to the president pursuant to Executive Order 13800, which have been made public so far, include:

Analyst Casey Syron contributed to this article.

©2019 Drinker Biddle & Reath LLP. All Rights Reserved

TRENDING LEGAL ANALYSIS


About this Author

Anand Raj Shah, Drinker Biddle Law Firm, Cybersecurity Attorney
Associate

Anand Raj Shah counsels clients on issues relating to cybersecurity, information governance, privacy, eDiscovery and data analytics. He assists clients in proactively evaluating and managing risks associated with their information practices, particularly during breach response or cybercrime investigations. Anand advises clients on a wide range of federal laws and regulations, including CFAA, ECPA, HIPAA, GLB, FISMA, CAN-SPAM, VPPA, COPPA, FCRA, and CISA, along with international and state data protection and breach notification laws. He guides clients on...

202-230-5190