Three years after massive breaches at the Office of Personnel Management that led to a major push to overhaul federal cybersecurity, most agencies are still either “at risk” or at “high risk” of cyberattacks, according to the Office of Management and Budget.
OMB found that 71 of 96 agencies reviewed were not effectively managing risk, requiring “bold approaches” to secure their networks, the agency says in a new report. Risk assessments show that a lack of threat information available to agencies “results in ineffective allocations” of their limited budgets, OMB says.
“This situation creates enterprise-wide gaps in network visibility, IT tool and capability standardization, and common operating procedures, all of which negatively impact federal cybersecurity,” the report reads.
In the report, a “high risk” designation means that key cybersecurity policies and tools are either absent or insufficiently deployed, while an “at risk” rating means some key policies are in place to lessen cyber risk, “but significant gaps remain.”
An executive order that President Donald Trump signed last year mandated the governmentwide survey of federal cyber risk and sought to hold agency heads accountable for that risk. According to the new OMB report, there’s a lot of accounting to be done.
While hackers have gotten more advanced, agencies’ understanding of attackers’ methods have not, according to the report. Agencies couldn’t identify the method of attack in over a third of the 30,899 cyber incidents in fiscal 2016 that led to a compromise of information or system functionality, OMB said.
Read more about the findings in the new report on CyberScoop.