As stated in President Biden’s Executive Order on Improving the Nation’s Cybersecurity (EO 14028), “the United States faces persistent and increasingly sophisticated malicious cyber campaigns that threaten the public sector, the private sector, and ultimately the American people’s security and privacy.” EO 14028 and subsequent Administration actions are prioritizing Federal agency investments in cybersecurity defenses, including migrating to a zero trust architecture. With these actions, the Federal Government seeks to rapidly shift to a new cybersecurity paradigm, and dramatically reduce the risk of successful cyber attacks against our digital infrastructure.
Each fiscal year, the Office of Management and Budget (OMB) and the Cybersecurity and Infrastructure Security Agency develop cybersecurity metrics – known as Federal Information Security Modernization Act (FISMA) metrics – to be used in oversight of agencies’ information security policies and practices.
These metrics set forth a maturity baseline for cybersecurity to enable more informed, risk-based decisions and to achieve observable security outcomes. The cybersecurity scores below, which are derived from those FISMA metrics, represent the Federal Government’s progress in achieving EO 14028 milestones and implementing key cybersecurity measures.
OMB is committed to working with agencies to strengthen and modernize their information technology systems to bolster their cybersecurity posture and improve the defense and resilience of the networks they manage on behalf of the American people. Federal agencies are making tangible security gains, but large-scale change as envisioned in EO 14028 requires continued investment, collaboration, and cultural change.
Summary of Agency Performance
Scores represent agency progress in achieving EO 14028 milestones and implementing key cybersecurity measures
Composite Score
- 90-100
- 80-89
- 70-79
- 60-69
- <59
No. of Agencies
- 12
- 7
- 4
- 0
- 0
Key
The scores above are derived from FISMA metrics and aligned to the National Institute of Standards and Technology’s Cybersecurity Framework.
Download Table- Identify (Highest Possible Score: 15.0) measures an agency’s ability to develop an organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities. It considers whether agency systems have undergone the necessary security assessments and have an authorization to operate.
- Protect (Highest Possible Score: 40.0) measures an agency’s ability to develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services. It considers security features including whether agencies have enabled multifactor authentication on its systems, encrypt data, and have a patch management process that utilizes the severity of a vulnerability to prioritize security patches.
- Detect (Highest Possible Score: 15.0) measures an agency’s ability to develop and implement the appropriate activities to identify the occurrence of a cybersecurity event. It considers capabilities such as penetration testing, red teaming exercises, and the establishment of an agency’s vulnerability disclosure program.
- Respond (Highest Possible Score: 15.0) measures an agency’s ability to develop and implement the appropriate activities to take action regarding a detected cybersecurity event. It considers capabilities such as whether an agency has tested incident response capabilities and selected Enterprise Detection & Response (EDR) platforms to enhance those activities.
- Recover (Highest Possible Score: 15.0) measures an agency’s ability to develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event. It considers capabilities such as whether an agency has established an enterprise continuity plan and whether they have tested the contingency plans for their high value assets.
Summary of Agency Performance
Scores represent agency progress in achieving EO 14028 milestones and implementing key cybersecurity measures
Composite Score
- 90-100
- 80-89
- 70-79
- 60-69
- <59
No. of Agencies
- 2
- 11
- 10
- 0
- 0
Key
The scores above are derived from FISMA metrics and aligned to the National Institute of Standards and Technology’s Cybersecurity Framework.
Download Table- Identify (Highest Possible Score: 15.0) measures an agency’s ability to develop an organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities. It considers whether agency systems have undergone the necessary security assessments and have an authorization to operate.
- Protect (Highest Possible Score: 40.0) measures an agency’s ability to develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services. It considers security features including whether agencies have enabled multifactor authentication on its systems, encrypt data, and have a patch management process that utilizes the severity of a vulnerability to prioritize security patches.
- Detect (Highest Possible Score: 15.0) measures an agency’s ability to develop and implement the appropriate activities to identify the occurrence of a cybersecurity event. It considers capabilities such as penetration testing, red teaming exercises, and the establishment of an agency’s vulnerability disclosure program.
- Respond (Highest Possible Score: 15.0) measures an agency’s ability to develop and implement the appropriate activities to take action regarding a detected cybersecurity event. It considers capabilities such as whether an agency has tested incident response capabilities and selected Enterprise Detection & Response (EDR) platforms to enhance those activities.
- Recover (Highest Possible Score: 15.0) measures an agency’s ability to develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event. It considers capabilities such as whether an agency has established an enterprise continuity plan and whether they have tested the contingency plans for their high value assets.
Summary of Agency Performance
Scores represent agency progress in achieving EO 14028 milestones and implementing key cybersecurity measures
Composite Score
- 90-100
- 80-89
- 70-79
- 60-69
- <59
No. of Agencies
- 1
- 14
- 7
- 1
- 0
Key
The scores above are derived from FISMA metrics and aligned to the National Institute of Standards and Technology’s Cybersecurity Framework.
Download Table- Identify (Highest Possible Score: 15.0) measures an agency’s ability to develop an organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities. It considers whether agency systems have undergone the necessary security assessments and have an authorization to operate.
- Protect (Highest Possible Score: 40.0) measures an agency’s ability to develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services. It considers security features including whether agencies have enabled multifactor authentication on its systems, encrypt data, and have a patch management process that utilizes the severity of a vulnerability to prioritize security patches.
- Detect (Highest Possible Score: 15.0) measures an agency’s ability to develop and implement the appropriate activities to identify the occurrence of a cybersecurity event. It considers capabilities such as penetration testing, red teaming exercises, and the establishment of an agency’s vulnerability disclosure program.
- Respond (Highest Possible Score: 15.0) measures an agency’s ability to develop and implement the appropriate activities to take action regarding a detected cybersecurity event. It considers capabilities such as whether an agency has tested incident response capabilities and selected Enterprise Detection & Response (EDR) platforms to enhance those activities.
- Recover (Highest Possible Score: 15.0) measures an agency’s ability to develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event. It considers capabilities such as whether an agency has established an enterprise continuity plan and whether they have tested the contingency plans for their high value assets.
