Federal agencies are remediating critical and high vulnerabilities in their IT systems within the allotted time frame only about half the time, according to figures within the Department of Homeland Security’s (DHS) fiscal year 2020 congressional budget justification.
The budget justification, sent to Congress in April, includes several “strategic measures” on how the department is performing on its goals. Under the Cybersecurity and Infrastructure Security Agency’s section, the metrics show that in FY2018, 52 percent of agencies mitigated high or critical vulnerabilities discovered by DHS cyber hygiene scanning on time, far below DHS’ goal of 80 percent.
The figure shows that many agencies are struggling to remediate within DHS’ timelines, and may be leaving some gaps in their cyber defenses. For FY2019, DHS lowered the goal to 70 percent.
However, DHS has not taken a light approach to agencies fixing their vulnerabilities. The department released a binding operational directive on April 30 shortening the timelines for agencies to fix critical vulnerabilities from 30 days to 15 days, and requiring high vulnerabilities be remediated within 30 days.
Other statistics from the budget justification painted a more positive picture of Federal cybersecurity and DHS’ performance. Around 93 percent of survey respondents found the National Cybersecurity and Communications Integration Center (NCCIC) and its operational cybersecurity information products helpful. Similarly, 96 percent were satisfied with the timeliness and relevance of cyber and infrastructure analysis based products from the Office of Cyber and Infrastructure Analysis.
The justification also noted that 29 percent of incidents detected by the EINSTEIN system came from nation-state attacks, a positive result considering that DHS states “the overall percentage of incidents related to nation-state activity is expected to increase through greater information sharing with partners and improved indicator development.”
On infrastructure protection, 85 percent of infrastructure operators reported implementing at least one recommendation after a CISA cybersecurity assessment, and 87 percent were likely to include vulnerability information in their security and resilience enhancements.