Most government agencies have met Federal mandates to establish cyber risk executives and establish policies to make risk-based decisions on cybersecurity, but many agencies still need to establish cyber risk strategies, conduct risk assessments, and address gaps in existing risk management policies, according to a Government Accountability Office (GAO) report released July 26.
GAO identified key practices from cybersecurity and enterprise risk management guidance from the Office of Management and Budget (OMB) and the National Institute of Standards and Technology (NIST), assessing agencies based on their implementation of:
- A cybersecurity risk executive;
- A cybersecurity risk management strategy;
- Documentation of risk-based policies;
- Agency-wide cybersecurity risk assessments, and;
- Coordination between cybersecurity and enterprise risk management.
GAO found that 22 civilian CFO Act agencies have established a cybersecurity risk executive, and all have put policies and procedures into place to implement risk management activities.
However, GAO found that 16 agencies did not fully establish a cybersecurity risk management strategy, 13 agencies did not fully establish a process to coordinate cybersecurity risk and enterprise risk, and 11 did not develop a cybersecurity risk assessment process. Additionally, GAO found gaps in the policies of 17 agencies, with most dinged for not including the use of risk assessments to guide plan of action and milestone prioritization, not using risk assessments to select security controls, and not requiring agency-wide risk assessments.
When GAO surveyed agencies about the biggest challenges for their cybersecurity risk management programs, all respondents highlighted the difficulty in hiring and retaining key cybersecurity risk management personnel. Other challenges cited by a majority of agencies include managing competing priorities between cyber and operations, establishing consistent policies on cyber risk management, implementing standardized IT capabilities in federated and legacy environments, and combining disparate data sources into a quality view of risk.
One area that GAO keyed in on was the lack of clarity around OMB and NIST guidance, as 16 agencies identified the area as a challenge. Concerns included the lack of practical guidance, the inconsistency of policies, and the failure of the guidance to address new technologies.
“Without additional guidance or other processes to identify successful approaches for addressing these challenges, agencies will continue to be hindered in establishing programs for effectively managing their cybersecurity risks,” the report states.
GAO recommended that OMB develop guidance for agencies to share successful approaches in managing cybersecurity risk management alongside other priorities and consistently implement policies and procedures. The report also laid out recommendations for each agency to improve its practices, with 17 agencies concurring with the recommendations.