Today, the Office of Management and Budget is launching a new tool that provides transparency on the state of cybersecurity across Federal agencies. The tool provides the public and key stakeholders, including Congress, with metrics to track agency progress toward implementing the Executive Order on Improving the Nation’s Cybersecurity, and safeguarding the data and systems they manage on behalf of the American people from events such as SolarWinds, Log4j, and more. The new progress report assesses the majority of the 24 CFO Act agencies. Metrics are grouped into five categories, aligning with NIST’s Cybersecurity Framework, an industry-recognized common language for understanding, managing, and expressing cybersecurity risk.
What is in the Progress Report:
The progress report scores agencies on leading practices across five categories: Identify, Protect, Detect, Respond, and Recover. Each category is weighted at 15 points, with the exception of the ‘Protect’ category—which is weighted at 40 points, because it includes more metrics, such as the use of multi-factor authentication and encryption of data, than the other categories. The assessed categories measure agencies on the following:
- Identify: measures an agency’s ability to develop an organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities. It considers whether agency systems have undergone the necessary security assessments and have an authorization to operate.
- Protect: measures an agency’s ability to develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services. It considers security features including whether agencies have enabled multifactor authentication on its systems, encrypt data, and have a patch management process that utilizes the severity of a vulnerability to prioritize security patches.
- Detect: measures an agency’s ability to develop and implement the appropriate activities to identify the occurrence of a cybersecurity event. It considers capabilities such as penetration testing, red teaming exercises, and the establishment of an agency’s vulnerability disclosure program.
- Respond: measures an agency’s ability to develop and implement the appropriate activities to take action regarding a detected cybersecurity event. It considers capabilities such as whether an agency has incorporated the Federal Government’s standard operating procedures into its incident response plan and whether an agency has established the secure channels to share incident data with CISA.
- Recover: measures an agency’s ability to develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event. It considers capabilities such as a communications strategy to coordinate support and whether an agency has developed contingency plans for its high value assets.
What the Data Tell Us:
The data tell us that agencies have made great strides in executing key Administration cybersecurity priorities and reducing the risk to our Government, but significant room for improvement remains across the Federal Government. Most agencies scored very high in the Identify, Respond, and Recover categories, but the scorecard identified security gaps for big agencies in the Protect and Detect categories. Overall, the progress report underscored that agencies are ready to assess and respond to cyber incidents. Moreover, the data reflect the work agencies did this past year to get that level of readiness. For instance, over the course of last year, every agency worked to evaluate CISA’s Cybersecurity Incident and Vulnerability Response Playbooks against their current incident response procedures and determined a process for sharing incident details electronically with CISA.
Additionally, the data highlight that agencies must continue to incorporate encryption and multifactor authentication throughout all agency systems, and increase the rate of penetration testing and red teaming— a method of thinking about lines of attacks on Federal systems as our adversaries would.
Looking Forward: We’re raising the bar and focusing on outcomes.
The metrics presented today are a starting point and will continue to evolve in response to new risks and threats in cyberspace. Starting next year, we will raise the bar in several areas by requiring agencies to provide more details on their endpoint detection and response toolsets, log management capabilities, and more. OMB works with our partners in the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Chief Information Officers (CIO) Council to refine the metrics used in the progress report. OMB and CISA also work together to ensure that agencies that are not making progress receive appropriate support and technical assistance to uplift their security practices.
As stated in the Cyber Executive Order, “the trust we place in our digital infrastructure should be proportional to how trustworthy and transparent that infrastructure is, and to the consequences we will incur if that trust is misplaced.” Bringing transparency to the state of Federal cybersecurity will help identify agency wins and challenges, and enable agencies to close critical gaps with expediency. Collaboration is key to our success. As we work with Congress and the dedicated IT and cybersecurity teams across Government, we will drive the change we know is possible to safeguard our Nation.