Cybersecurity: Implementation of Executive Order Requirements is Essential to Address Key Actions – Government Accountability Office

4 minutes, 53 seconds Read

Cybersecurity: Implementation of Executive Order Requirements is Essential to Address Key Actions | U.S. GAO


Skip to main content

Fast Facts

In 2021, the President issued an executive order to help protect federal IT systems from cyberattacks. The order contains 55 leadership and oversight requirements. DHS’s Cybersecurity and Infrastructure Security Agency, the National Institute of Standards and Technology, and the Office of Management and Budget are responsible for implementing them.

These agencies have fully completed 49 of 55 requirements. Remaining requirements include improving software that is critical to the supply chain and ensuring that other agencies have sufficient resources to carry out the order.

We recommended that these agencies implement the order’s remaining requirements.

The Capitol building at night with illustrations of digital locks, emails, credit card logos superimposed over it.

Skip to Highlights

Highlights

What GAO Found

Among its 115 provisions, the order contains 55 leadership and oversight requirements (actions to assist or direct the federal agencies in implementing the order). The three key agencies primarily responsible for the implementation of these requirements are the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency, the National Institute of Standards and Technology, and the Office of Management and Budget (OMB). These agencies fully completed 49 of the 55 requirements, partially completed five, and one was not applicable (see table below). Completing these requirements would provide the federal government with greater assurance that its systems and data are adequately protected.

Progress in Implementing Executive Order 14028 Leadership and Oversight Requirements, as of March 2024

 

Executive Order Section

Number of requirements that are:

Fully complete

Partially complete

Not complete

Not applicable

Removing Barriers to Sharing Threat Information

6

1

Modernizing Federal Government Cybersecurity

8

Enhancing Software Supply Chain Security

16

1

Establishing a Cyber Safety Review Board

6

1

Standardizing Playbook for Responding to Cybersecurity Vulnerabilities and Incidents

4

1

Improving Detection of Cybersecurity Vulnerabilities and Incidents

7

1

Improving the Federal Government’s Investigative and Remediation Capabilities

2

1

Total

49

5

1

Legend: fully complete = those where the actions required are complete; partially complete = those where GAO judged significant, but not complete, progress to be made in completing a requirement; not complete = those where the progress made toward completion was minimal and not significant. The symbol “—” indicates that no requirements received this score.

Source: GAO analysis of documentation from the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency; the National Institute of Standards and Technology; and the Office of Management and Budget. | GAO-24-106343

GAO’s High-Risk Series identified ten action areas critical to addressing the nation’s cybersecurity challenges. The order’s requirements directly address five of these ten critical action areas, while each of the other five could be addressed by other recently-issued strategies, frameworks, and guidance. For example, the cyber workforce and critical infrastructure action areas could potentially be addressed by the National Cyber Workforce Strategy and National Cybersecurity Strategy, if implemented effectively. In addition to the ten action areas, six federal chief information security officers (CISO) identified additional cyber issue areas they considered to be challenging, such as uncertainty in cyber funding, creating a culture that prioritizes cybersecurity as an essential mission component, and focus on cyber compliance versus cyber resilience. The order’s requirements also address each of these additional cyber issue areas identified by CISOs. For example, the order addresses uncertainties in cyber funding by requiring OMB to assist agencies in having sufficient resources to implement its requirements.

Why GAO Did This Study

For more than 25 years, GAO has identified information security as a high-risk area. During this period, the threat of cyber-based attacks on IT systems has continued to grow. In 2021, the President issued Executive Order 14028 to enhance federal resilience in protecting IT systems. The order contains requirements for federal agencies to improve their ability to identify, protect against, and respond to malicious cyber threats.

The Federal Information Security Modernization Act of 2014 includes a provision for GAO to periodically report on agencies’ progress in improving their cybersecurity practices. This report examines the extent to which (1) agencies have implemented Executive Order 14028 leadership and oversight-related requirements and (2) the order has addressed federal cybersecurity challenges.

To do so, GAO identified government-wide leadership and oversight requirements in the order and the key agencies required to perform them. GAO then reviewed the agencies’ implementation of those requirements. GAO also compared challenges identified in its work and in discussions with federal CISOs against the content of the order to determine whether they were addressed.

Recommendations

GAO is making two recommendations to DHS and three to OMB to fully implement the order’s requirements. DHS agreed with recommendations to further define critical software and improve operations of the Cyber Safety Review Board. OMB stated it had no comments on GAO’s report.

Recommendations for Executive Action

Agency Affected Recommendation Status
Department of Homeland Security The Secretary of Homeland Security should direct the Director of CISA to issue, in a timely manner, its list of software and software product categories that are considered critical software. (Recommendation 1)
Department of Homeland Security The Secretary of Homeland Security, through the Director of the CISA, should direct the Cyber Safety Review Board to document steps taken or planned to implement the recommendations provided to the President for improving the board’s operations. (Recommendation 2)
Office of Management and Budget The Director of OMB should demonstrate that the office has conducted, with pertinent federal agencies, cost analyses for the implementation of recommendations related to the sharing of threat information, as defined in the order. (Recommendation 3)
Office of Management and Budget The Director of OMB should demonstrate that the office has coordinated with pertinent federal agencies regarding resourcing needs for the implementation of an endpoint detection and response capability, as defined in the order. (Recommendation 4)
Office of Management and Budget The Director of OMB should demonstrate that the office has coordinated with pertinent federal agencies regarding resourcing needs for logging, log retention, and log management capabilities, as defined in the order. (Recommendation 5)

Full Report

GAO Contacts

Topics

CybersecuritySoftwareCompliance oversightInformation securitySupply chain managementFederal agenciesHomeland securityRemediationCritical infrastructure protectionCritical infrastructure vulnerabilities

This post was originally published on 3rd party site mentioned in the title of this site

Similar Posts