Skip to content

Discerning Data

  • About Us
  • Additional Resources
  • Contact Us

DISCERNING DATA

A Faegre Drinker Blog Covering the Latest in Privacy, Cybersecurity and Data Strategy
  • Privacy
  • Cybersecurity
  • Data Strategy
  • Disruptionware

OMB Releases Report on Federal Cybersecurity Risk

Share

This is the first post in a DBR on Data series on Executive Order 13800 and updates on its implementation a year after passage.

The White House Office of Management and Budget (OMB) released in May 2018 its report to the president on federal cybersecurity risk determination. The report, which responds to the President’s May 2017 Executive Order 13800, entitled “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure,” comes as several key reports also required by Executive Order 13800 have been recently released in full or in summary form. The Federal Cybersecurity Risk Determination Report and Action Plan concludes that the recent government-wide cybersecurity risk assessment conducted by the OMB, in collaboration with the Department of Homeland Security (DHS), confirms the need for the U.S. government to take “bold approaches” to improve federal cybersecurity.

Federal Cybersecurity Risk Determination Report and Action Plan

The OMB and the DHS used 76 metrics to examine the cybersecurity capabilities of 96 federal agencies and their ability to “identify, detect, respond, and if necessary, recover” from a cyber incident.  The report found that 74 percent of the federal agencies evaluated were either “At Risk” or “High Risk.” The 12 agencies categorized as “High Risk” lacked fundamental cybersecurity policies, processes, tools, and defenses, whereas the 59 agencies categorized as “At Risk” demonstrated significant vulnerabilities where some key cybersecurity policies, processes, and tools are in place. The 25 agencies deemed as “Managing Risk” instituted cybersecurity policies, procedures, and tools and actively managed their cybersecurity risks. Notably, the report does not identify which agencies were assigned which risk assessment level.

Though the agencies may face a range of issues involving cybersecurity risks, the report found four key areas where agencies struggle, including (i) limited situational awareness, (ii) a lack of standardized IT capabilities, (iii) limited network visibility, and (iv) a lack of accountability for managing risks. It identifies the following four core actions that are necessary to address cybersecurity across the federal enterprise:

  1. Increase cybersecurity threat awareness among federal agencies by implementing the Cyber Threat Framework to prioritize efforts and manage cybersecurity risks.
  2. Standardize IT and cybersecurity capabilities to control costs and improve asset management.

III.            Consolidate agency security operation centers (SOCs) to improve incident detection and response capabilities.

  1. Drive accountability across agencies through improved governance processes, recurring risk assessments, and OMB’s engagements with agency leadership.

As part of its ongoing to effort to improve federal cybersecurity risk management, the OMB plans to work with agencies over the coming year to implement the four actions.

The report is the latest in a series of efforts by the OMB and the DHS to address cybersecurity issues among federal agencies. In October 2017, the DHS released its Binding Operational Directive 18-01 requiring federal, executive branch, departments, and agencies to adopt online and email security standards. While in May 2018, the DHS issues its Binding Operational Directive 18-02 mandating federal entities to safeguard high value assets involving federal information and information systems.

Other Executive Order 13800 reports

As DBR on Data previously reported, Executive Order 13800 directs federal departments and agencies to develop reports to identify and mitigate cybersecurity risks, emphasizing areas of concern such as securing and modernizing federal networks, protecting critical infrastructure, deterring adversaries in cyberspace, and building a strong cybersecurity workforce. The reports and summaries submitted to the president pursuant to Executive Order 13800, which have been made public so far, include:

  • Final Report to the President on Federal IT Modernization (Submitted by the President’s American Technology Council, in coordination with the Department of Homeland Security, Office of Management and Budget, General Services Administration, and in consultation with the Department of Commerce)
  • Support to Critical Infrastructure at Greatest Risk Summary (Submitted by the Department of Homeland Security in coordination with sector-specific agencies) and Supporting Transparency in the Marketplace Summary (Submitted by the Department of Homeland Security in coordination with the Department of Commerce)
  • A Report to the President on Enhancing the Resilience of the Internet and Communications Ecosystem Against Botnets and Other Automated, Distributed Threats (Submitted by the Departments of Commerce and Homeland Security)
  • Assessment of Electricity Disruption Incident Response Capabilities (Submitted by the Department of Energy)
  • Recommendations to the President on Deterring Adversaries and Better Protecting the American People from Cyber Threats and Recommendations to the President on Protecting American Cyber Interests through International Engagement (Submitted by the Department of State with contributions from the Departments of Treasury, Defense, Commerce, Homeland Security, Justice, Energy and the Office of the U.S. Trade Representative)
  • A Report to the President on Supporting the Growth and Sustainability of the Nation’s Cybersecurity Workforce: Building the Foundation for a More Secure American Future (Submitted by the Departments of Commerce and Homeland Security)

 

 

The material contained in this communication is informational, general in nature and does not constitute legal advice. The material contained in this communication should not be relied upon or used without consulting a lawyer to consider your specific circumstances. This communication was published on the date specified and may not include any changes in the topics, laws, rules or regulations covered. Receipt of this communication does not establish an attorney-client relationship. In some jurisdictions, this communication may be considered attorney advertising.

Receive Email Alerts to New Articles

SUBSCRIBE

June 28, 2018
Written by: Discerning Data Editorial Board
Category: Cybersecurity, OMB, Privacy
Tags: cybersecurity, department of homeland security, DHS, Executive Order 13800, Federal Cybersecurity Risk Determination Report and Action Plan, federal information technology, OMB, risk assessment

Post navigation

Previous Previous post: Dissecting SCOTUS’ Ruling in Carpenter
Next Next post: Federal IT Modernization Report Recommendations

Search the Blog

Sign Up for Email Alerts

PODCASTS

Faegre Drinker on Law and Technology

©2023 Faegre Drinker Biddle & Reath LLP. All Rights Reserved. Lawyer Advertising.

  • About Us
  • Additional Resources
  • Contact Us
We use cookies to improve your experience with our website. By browsing our site, you are agreeing to the use of cookies. For more information about how we use cookies, please review our privacy policy and cookie policy. OK
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT