Information Security:

Agencies Need to Improve Cyber Incident Response Practices

GAO-14-354: Published: Apr 30, 2014. Publicly Released: May 30, 2014.

Additional Materials:

Contact:

Gregory C. Wilshusen
(202) 512-6244
wilshuseng@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

What GAO Found

Twenty-four major federal agencies did not consistently demonstrate that they are effectively responding to cyber incidents (a security breach of a computerized system and information). Based on a statistical sample of cyber incidents reported in fiscal year 2012, GAO projects that these agencies did not completely document actions taken in response to detected incidents in about 65 percent of cases (with 95 percent confidence that the estimate falls between 58 and 72 percent). For example, agencies identified the scope of an incident in the majority of cases, but frequently did not demonstrate that they had determined the impact of an incident. In addition, agencies did not consistently demonstrate how they had handled other key activities, such as whether preventive actions to prevent the reoccurrence of an incident were taken. Although all 6 selected agencies that GAO reviewed in depth had developed parts of policies, plans, and procedures to guide their incident response activities, their efforts were not comprehensive or fully consistent with federal requirements. In addition, the Office of Management and Budget (OMB) and the Department of Homeland Security (DHS) conduct CyberStat reviews, which are intended to help federal agencies improve their information security posture, but the reviews have not addressed agencies' cyber incident response practices. Without complete policies, plans, and procedures, along with appropriate oversight of response activities, agencies face reduced assurance that they can effectively respond to cyber incidents.

DHS and a component, the United States Computer Emergency Readiness Team (US-CERT), offer services that assist agencies in preparing to handle cyber incidents, maintain awareness of the current threat environment, and deal with ongoing incidents. Officials from the 24 agencies GAO surveyed said that they were generally satisfied with the assistance provided, and made suggestions to make the services more useful, such as improving reporting requirements. Although US-CERT receives feedback from agencies to improve its services, it has not yet developed performance measures for evaluating the effectiveness of the assistance it provides to agencies. Without results-oriented performance measures, US-CERT will face challenges in ensuring it is effectively assisting federal agencies with preparing for and responding to cyber incidents.

Cyber Incidents Reported by All Federal Agencies to US-CERT, Fiscal Years 2010-2013

Cyber Incidents Reported by All Federal Agencies to US-CERT, Fiscal Years 2010-2013

Why GAO Did This Study

The number of cyber incidents reported by federal agencies increased in fiscal year 2013 significantly over the prior 3 years (see figure). An effective response to a cyber incident is essential to minimize any damage that might be caused. DHS and US-CERT have a role in helping agencies detect, report, and respond to cyber incidents.

GAO was asked to review federal agencies' ability to respond to cyber incidents. To do this, GAO reviewed the extent to which (1) federal agencies are effectively responding to cyber incidents and (2) DHS is providing cybersecurity incident assistance to agencies. To do this, GAO used a statistical sample of cyber incidents reported in fiscal year 2012 to project whether 24 major federal agencies demonstrated effective response activities. In addition, GAO evaluated incident response policies, plans, and procedures at 6 randomly-selected federal agencies to determine adherence to federal guidance. GAO also examined DHS and US-CERT policies, procedures, and practices, and surveyed officials from the 24 federal agencies on their experience receiving incident assistance from DHS.

What GAO Recommends

GAO is making recommendations to OMB and DHS to address incident response practices governmentwide, particularly in CyberStat meetings with agencies; to the heads of six agencies to strengthen their incident response policies, plans, and procedures; and to DHS to establish measures of effectiveness for the assistance US-CERT provides to agencies. The agencies generally concurred with GAO's recommendations.

For more information, contact Gregory C.Wilshusen at (202) 512-6244 or wilshuseng@gao.gov.

Status Legend:

More Info
  • Review Pending-GAO has not yet assessed implementation status.
  • Open-Actions to satisfy the intent of the recommendation have not been taken or are being planned, or actions that partially satisfy the intent of the recommendation have been taken.
  • Closed-implemented-Actions that satisfy the intent of the recommendation have been taken.
  • Closed-not implemented-While the intent of the recommendation has not been satisfied, time or circumstances have rendered the recommendation invalid.
    • Review Pending
    • Open
    • Closed - implemented
    • Closed - not implemented

    Recommendations for Executive Action

    Recommendation: To improve the effectiveness of governmentwide cyber incident response activities, the Director of OMB and Secretary of Homeland Security should address agency incident response practices governmentwide, in particular through CyberStat meetings, such as emphasizing the recording of key steps in responding to an incident.

    Agency Affected: Department of Homeland Security

    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: To improve the effectiveness of governmentwide cyber incident response activities, the Director of OMB and Secretary of Homeland Security should address agency incident response practices governmentwide, in particular through CyberStat meetings, such as emphasizing the recording of key steps in responding to an incident.

    Agency Affected: Executive Office of the President: Office of Management and Budget

    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: To improve the effectiveness of cyber incident response activities, the Secretary of Energy should revise policies for incident response to include requirements for defining the incident response team's level of authority, prioritizing the severity ratings of incidents based on impact and establishing measures of performance.

    Agency Affected: Department of Energy

    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: To improve the effectiveness of cyber incident response activities, the Secretary of Energy should develop incident response procedures that provide instructions for containing incidents and revise procedures for incident response to prioritize the handling of incidents by impact.

    Agency Affected: Department of Energy

    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: To improve the effectiveness of cyber incident response activities, the Secretary of Energy should fully test the department's incident response capability.

    Agency Affected: Department of Energy

    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: To improve the effectiveness of cyber incident response activities, the Secretary of Energy should establish clear requirements to ensure the department's incident response personnel are trained.

    Agency Affected: Department of Energy

    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: To improve the effectiveness of cyber incident response activities, the Attorney General of the United States should revise policies for incident response by including requirements for defining the incident response team's level of authority, and prioritizing the severity ratings of incidents for unclassified systems, based on impact.

    Agency Affected: Department of Justice

    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: To improve the effectiveness of cyber incident response activities, the Attorney General of the United States should revise the department's incident response plan to include quantifiable metrics for measuring the incident response capability and its effectiveness.

    Agency Affected: Department of Justice

    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: To improve the effectiveness of cyber incident response activities, the Attorney General of the United States should develop incident response procedures that provide instructions for prioritizing the handling of incidents by impact.

    Agency Affected: Department of Justice

    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: To improve the effectiveness of cyber incident response activities, the Attorney General of the United States should ensure that all components test their incident response capability.

    Agency Affected: Department of Justice

    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: To improve the effectiveness of cyber incident response activities, the Secretary of Transportation should revise policies for incident response by including requirements for prioritizing the severity ratings of incidents based on impact and establishing measures of performance.

    Agency Affected: Department of Transportation

    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: To improve the effectiveness of cyber incident response activities, the Secretary of Transportation should revise the department's incident response plan to include senior management's approval, and metrics for measuring the incident response capability and its effectiveness.

    Agency Affected: Department of Transportation

    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: To improve the effectiveness of cyber incident response activities, the Secretary of Transportation should develop incident response procedures that provide instructions for prioritizing the handling of incidents by impact.

    Agency Affected: Department of Transportation

    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: To improve the effectiveness of cyber incident response activities, the Secretary of Transportation should test the department's incident response capability.

    Agency Affected: Department of Transportation

    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: To improve the effectiveness of cyber incident response activities, the Secretary of Housing and Urban Development should finalize policies for incident response and include in those policies requirements for prioritizing the severity ratings of incidents and establishing measures of performance.

    Agency Affected: Department of Housing and Urban Development

    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: To improve the effectiveness of cyber incident response activities, the Secretary of Housing and Urban Development should develop a departmentwide incident response plan that includes, among other elements, senior management's approval, and metrics for measuring the incident response capability and its effectiveness.

    Agency Affected: Department of Housing and Urban Development

    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: To improve the effectiveness of cyber incident response activities, the Secretary of Housing and Urban Development should revise procedures for incident response to prioritize the handling of incidents by impact.

    Agency Affected: Department of Housing and Urban Development

    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: To improve the effectiveness of cyber incident response activities, the Secretary of Housing and Urban Development should test the department's incident response capability.

    Agency Affected: Department of Housing and Urban Development

    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: To improve the effectiveness of cyber incident response activities, the Administrator of the National Aeronautics and Space Administration should revise policies for incident response by including requirements for establishing measures of performance.

    Agency Affected: National Aeronautics and Space Administration

    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: To improve the effectiveness of cyber incident response activities, the Administrator of the National Aeronautics and Space Administration should revise the agency's incident response plan to include metrics for measuring the incident response capability and its effectiveness.

    Agency Affected: National Aeronautics and Space Administration

    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: To improve the effectiveness of cyber incident response activities, the Administrator of the National Aeronautics and Space Administration should test the agency's incident response capability.

    Agency Affected: National Aeronautics and Space Administration

    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: To improve the effectiveness of cyber incident response activities, the Administrator of the National Aeronautics and Space Administration should establish clear requirements for training the agency's incident response personnel.

    Agency Affected: National Aeronautics and Space Administration

    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: To improve the effectiveness of cyber incident response activities, the Secretary of Veterans Affairs should revise policies for incident response by including requirements for defining the incident response team's level of authority, and establishing measures of performance.

    Agency Affected: Department of Veterans Affairs

    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: To improve the effectiveness of cyber incident response activities, the Secretary of Veterans Affairs should revise the department's incident response plan to include metrics for measuring the incident response capability and its effectiveness.

    Agency Affected: Department of Veterans Affairs

    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: To improve the effectiveness of cyber incident response activities, the Secretary of Veterans Affairs should test the department's incident response capability.

    Agency Affected: Department of Veterans Affairs

    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: To improve the effectiveness of cyber incident response activities, the Secretary of Veterans Affairs should train the department's incident response personnel per the agency's requirements.

    Agency Affected: Department of Veterans Affairs

    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: To improve the cyber incident response assistance provided to federal agencies, the Secretary of Homeland Security should establish measures to evaluate the effectiveness of the cyber incident assistance it provides to agencies.

    Agency Affected: Department of Homeland Security

    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: To improve the effectiveness of cyber incident response activities, the Secretary of Energy should revise the department's incident response plan to include metrics for measuring the incident response capability and its effectiveness.

    Agency Affected: Department of Energy

    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Jul 17, 2014

    Jun 25, 2014

    May 30, 2014

    Apr 17, 2014

    Apr 2, 2014

    Jan 28, 2014

    Jan 8, 2014

    Sep 26, 2013

    Feb 20, 2013

    Feb 1, 2013

    Looking for more? Browse all our products here