Twenty of the 23 civilian Chief Financial Officers (CFO) Act of 1990 agencies have failed to meet the White House’s cyber incident logging requirements by an August 2023 deadline, and according to a Dec. 4 watchdog report, 17 of these agencies were found to be at the lowest level of maturity – tier 0 – in that category.
The Government Accountability Office (GAO) found that only three agencies had met the advanced tier 3 level required by the Office of Management and Budget (OMB) by the August 2023 deadline.
In its August 2021 memo – as directed by Present Biden’s cybersecurity executive order – OMB called on Federal agencies to ensure that cybersecurity incidents are tracked and that these tracking logs are appropriately retained and managed.
All 23 agencies were required to reach the event logging advanced tier 3 – “logging requirements at all criticality levels are met” – by August 2023.
GAO’s 79-page report found that only three of the civilian CFO Act agencies did reach the maturity level tier 3 by the deadline. These three agencies were the Department of Agriculture, the National Science Foundation, and the Small Business Administration.
However, as of August 2023, 17 agencies were at tier 0, and three agencies were at tier 1, the report finds.
Officials from many of those agencies told GAO that they did not expect to get to the tier 3 level in the near term.
Specifically, two agencies estimated reaching tier 1 in fiscal year 2023 and another agency by fiscal year 2024, while seven agencies estimated not reaching tier 3 until between fiscal years 2024 and 2026. Ten agencies did not provide an updated timeline for when they expect to ultimately reach tier 3.
Lack of staff, technical challenges, and limitations in cyberthreat information sharing have made it more difficult for agencies to adopt optimal cybersecurity practices, the watchdog agency added.
GAO noted that Federal entities have ongoing efforts that can assist in addressing these challenges, including onsite cyber incident response assistance from the Cybersecurity and Infrastructure Security Agency (CISA), event logging workshops and guidance, and enhancements to a cyber threat information sharing platform.
The report also addresses the long-term efforts planned – such as implementation of the National Workforce and Education Strategy and a new threat intelligence platform offering from CISA – targeted to roll out its first phase to Federal departments and agencies in fiscal year 2024.
“Information from federal IT logs is invaluable in the detection, investigation, and remediation of cyberthreats,” GAO’s report says. “We recommended that federal agencies fully implement requirements to log cybersecurity events.”
Specifically, GAO is making 20 recommendations to 19 agencies to, among other things, fully implement event logging requirements from OMB. Sixteen agencies agreed with the recommendations and three neither agreed nor disagreed.
The nearly 80-page report also details that the Federal agencies have made progress in preparing for and responding to cyber threats. For instance, all 23 of the agencies have begun endpoint detection and response frameworks that seek to detect digital threats like ransomware or data breaches across entire networks.
