A recent review by the Government Accountability Office (GAO) found that the vast majority of leadership and oversight requirements from the 2021 executive order on enhancing the nation’s cybersecurity have been met, with only a few critical tasks remaining incomplete.
President Joe Biden initiated the executive order as a comprehensive mandate designed to safeguard federal information systems from increasingly sophisticated cyberattacks. The GAO’s findings highlight significant progress in implementing this directive, illustrating the federal commitment to advancing cybersecurity measures while also pointing out the challenges in fully achieving the order’s objectives.
Overview of the 2021 Executive Order
The 2021 Executive Order, aimed at strengthening federal cybersecurity defenses, set forth 55 specific requirements to be met by various agencies including the Cybersecurity and Infrastructure Security Agency (CISA), the National Institute of Standards and Technology (NIST), and the Office of Management and Budget (OMB). According to the GAO report, 49 of these requirements have been fully completed, with five partially finished, and one determined to be not applicable due to timing issues with other requirements.
Key Achievements
The federal agencies have made significant strides in several areas:
- Enhanced Cyber Threat Information Sharing: Procedures have been developed to improve the sharing of cyber threat information across federal agencies.
- Guidance on Critical Software Security: Guidelines have been established to bolster security measures for software deemed critical to federal operations.
- Incident Response Playbook: A standardized playbook for conducting cyber incident responses has been successfully created.
These accomplishments reflect a concerted effort by federal entities to adhere to the directives aimed at bolstering the nation’s cyber defenses.
Areas Needing Improvement
Despite these achievements, some areas have lagged:
- Cost Analysis and Budgeting: OMB has struggled to fully incorporate a required cost analysis into its annual budget process, which is crucial for ensuring that federal agencies have the resources needed to implement cybersecurity recommendations effectively.
- Endpoint Detection and Response (EDR): There has been a lack of documented evidence that OMB has worked with agencies to ensure they have adequate resources for deploying EDR technologies, which are vital for detecting and responding to cyber incidents proactively.
- Log Management: Although OMB has issued guidance on improving log retention and management, it has not demonstrated that agencies have the resources needed for proper implementation.
CISA Facing Challenges
CISA has faced challenges in defining “critical software” for governmental agencies and the private sector, initially struggling to compile and share a list that meets the needs of all stakeholders. While OMB and NIST have successfully met this requirement, a CISA official expressed concerns about potential misinterpretations of the list and announced plans to release a revised version with clearer guidelines.
Additionally, CISA has been criticized for its management of the Cyber Safety Review Board, a multi-agency group with public and private sector members. The board has been scrutinized by Congress and industry leaders for lacking authority and independence. Although CISA officials have indicated progress in adopting the board’s recommendations and improving its operations, the GAO noted that CISA has yet to provide concrete evidence of these implementations, raising concerns about the board’s effectiveness in future incident reviews.
The Wrap
The completion of nearly all the requirements of the 2021 Executive Order is commendable, but the few remaining tasks are crucial for ensuring reliable cybersecurity defenses. The GAO has recommended additional actions for both the Department of Homeland Security and OMB to address these gaps effectively.
As cyberattacks continue to evolve in complexity and scale, the importance of these unfinished tasks becomes even more critical. Completing them will not only enhance current security measures but also set a precedent for future cybersecurity initiatives. The ongoing commitment and adjustments by federal agencies will be essential in maintaining and advancing the cybersecurity framework necessary to safeguard the United States from tomorrow’s cyber threats.