This is the first post in a DBR on Data series on Executive Order 13800 and updates on its implementation a year after passage.

The White House Office of Management and Budget (OMB) released in May 2018 its report to the president on federal cybersecurity risk determination. The report, which responds to the President’s May 2017 Executive Order 13800, entitled “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure,” comes as several key reports also required by Executive Order 13800 have been recently released in full or in summary form. The Federal Cybersecurity Risk Determination Report and Action Plan concludes that the recent government-wide cybersecurity risk assessment conducted by the OMB, in collaboration with the Department of Homeland Security (DHS), confirms the need for the U.S. government to take “bold approaches” to improve federal cybersecurity.

Federal Cybersecurity Risk Determination Report and Action Plan

The OMB and the DHS used 76 metrics to examine the cybersecurity capabilities of 96 federal agencies and their ability to “identify, detect, respond, and if necessary, recover” from a cyber incident.  The report found that 74 percent of the federal agencies evaluated were either “At Risk” or “High Risk.” The 12 agencies categorized as “High Risk” lacked fundamental cybersecurity policies, processes, tools, and defenses, whereas the 59 agencies categorized as “At Risk” demonstrated significant vulnerabilities where some key cybersecurity policies, processes, and tools are in place. The 25 agencies deemed as “Managing Risk” instituted cybersecurity policies, procedures, and tools and actively managed their cybersecurity risks. Notably, the report does not identify which agencies were assigned which risk assessment level.

Though the agencies may face a range of issues involving cybersecurity risks, the report found four key areas where agencies struggle, including (i) limited situational awareness, (ii) a lack of standardized IT capabilities, (iii) limited network visibility, and (iv) a lack of accountability for managing risks. It identifies the following four core actions that are necessary to address cybersecurity across the federal enterprise:

  1. Increase cybersecurity threat awareness among federal agencies by implementing the Cyber Threat Framework to prioritize efforts and manage cybersecurity risks.
  2. Standardize IT and cybersecurity capabilities to control costs and improve asset management.

III.            Consolidate agency security operation centers (SOCs) to improve incident detection and response capabilities.

  1. Drive accountability across agencies through improved governance processes, recurring risk assessments, and OMB’s engagements with agency leadership.

As part of its ongoing to effort to improve federal cybersecurity risk management, the OMB plans to work with agencies over the coming year to implement the four actions.

The report is the latest in a series of efforts by the OMB and the DHS to address cybersecurity issues among federal agencies. In October 2017, the DHS released its Binding Operational Directive 18-01 requiring federal, executive branch, departments, and agencies to adopt online and email security standards. While in May 2018, the DHS issues its Binding Operational Directive 18-02 mandating federal entities to safeguard high value assets involving federal information and information systems.

Other Executive Order 13800 reports

As DBR on Data previously reported, Executive Order 13800 directs federal departments and agencies to develop reports to identify and mitigate cybersecurity risks, emphasizing areas of concern such as securing and modernizing federal networks, protecting critical infrastructure, deterring adversaries in cyberspace, and building a strong cybersecurity workforce. The reports and summaries submitted to the president pursuant to Executive Order 13800, which have been made public so far, include: