Government , Industry Specific

Federal Agencies Failing to Meet Critical Cyber Deadlines

Agencies Lack Capabilities to Track, Investigate and Remediate Threats, Report Says
Federal Agencies Failing to Meet Critical Cyber Deadlines
The GAO says major agencies are failing to meet critical deadlines for logging. (Image: Shutterstock)

At least 20 federal agencies failed to meet an August deadline outlined in the 2021 cybersecurity executive order to implement critical cyberthreat incident response capabilities, a congressional watchdog concluded.

See Also: Maximizing data utility in mission delivery, citizen services, and education

The departments of Commerce, State and Justice are included in a Dec. 4 list compiled by the Government Accountability Office of agencies that failed to meet advanced logging requirements by the summer deadline. Just three of the 23 largest federal agencies managed to meet the deadline.

Advanced logging ensures agencies track cybersecurity incidents while appropriately managing and retaining tracking logs. According to the GAO, 17 of the 20 agencies that failed to meet the deadline were at the "tier zero" level, meaning that their logging capabilities were not considered effective, and three were at the "basic" tier one level.

"Until the agencies implement all event logging requirements, the federal government's ability to fully detect, investigate, and remediate cyber threats will be constrained," the report said.

Agencies said they faced challenges due to a lack of staff, technical challenges and limitations in cyberthreat information sharing. The GAO said that several governmentwide initiatives are underway to address these issues, including a new threat intelligence platform that the Cybersecurity and Infrastructure Security Agency plans to begin rolling out before next fall.

"Technical gaps identified in the report often translate in an inability to effectively detect or respond to an incident," said Alejandro Rivas-Vásquez, global head of digital forensics and incident response for the cybersecurity firm NCC Group.

Rivas-Vásquez said that a "lack of staff can be fixed during an incident through third-party arrangements" but "if event data is unavailable or is of poor quality, the investigation will be negatively impacted."

In addition to challenges with staffing and cyberthreat information sharing, CISA has identified the cost associated with cloud logging capabilities as a critical issue - particularly for commercial and government customers of the widely used Microsoft basic enterprise license.

In July, Microsoft announced it would expand cloud logging capabilities at no additional cost after some of its customers failed to identify a Chinese espionage campaign because they had not been paying for the company's top-tier cloud services (see: Microsoft Expands Logging Access After Chinese Hack Blowback).

The GAO report included 20 recommendations for the agencies that failed to meet the logging deadline to fully implement logging capabilities at all criticality levels. Other agencies that failed to meet the deadline include the departments of Housing and Urban Development, Interior, Labor, Transportation, Treasury and Veterans Affairs, among others.

About the Author

Chris Riotta

Chris Riotta

Managing Editor, GovInfoSecurity

Riotta is a journalist based in Washington, D.C. He earned his master's degree from the Columbia University Graduate School of Journalism, where he served as 2021 class president. His reporting has appeared in NBC News, Nextgov/FCW, Newsweek Magazine, The Independent and more.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.