Information Security: Agencies Need to Improve Cyber Incident Response Practices
Highlights
What GAO Found
Twenty-four major federal agencies did not consistently demonstrate that they are effectively responding to cyber incidents (a security breach of a computerized system and information). Based on a statistical sample of cyber incidents reported in fiscal year 2012, GAO projects that these agencies did not completely document actions taken in response to detected incidents in about 65 percent of cases (with 95 percent confidence that the estimate falls between 58 and 72 percent). For example, agencies identified the scope of an incident in the majority of cases, but frequently did not demonstrate that they had determined the impact of an incident. In addition, agencies did not consistently demonstrate how they had handled other key activities, such as whether preventive actions to prevent the reoccurrence of an incident were taken. Although all 6 selected agencies that GAO reviewed in depth had developed parts of policies, plans, and procedures to guide their incident response activities, their efforts were not comprehensive or fully consistent with federal requirements. In addition, the Office of Management and Budget (OMB) and the Department of Homeland Security (DHS) conduct CyberStat reviews, which are intended to help federal agencies improve their information security posture, but the reviews have not addressed agencies' cyber incident response practices. Without complete policies, plans, and procedures, along with appropriate oversight of response activities, agencies face reduced assurance that they can effectively respond to cyber incidents.
DHS and a component, the United States Computer Emergency Readiness Team (US-CERT), offer services that assist agencies in preparing to handle cyber incidents, maintain awareness of the current threat environment, and deal with ongoing incidents. Officials from the 24 agencies GAO surveyed said that they were generally satisfied with the assistance provided, and made suggestions to make the services more useful, such as improving reporting requirements. Although US-CERT receives feedback from agencies to improve its services, it has not yet developed performance measures for evaluating the effectiveness of the assistance it provides to agencies. Without results-oriented performance measures, US-CERT will face challenges in ensuring it is effectively assisting federal agencies with preparing for and responding to cyber incidents.
Cyber Incidents Reported by All Federal Agencies to US-CERT, Fiscal Years 2010-2013
Why GAO Did This Study
The number of cyber incidents reported by federal agencies increased in fiscal year 2013 significantly over the prior 3 years (see figure). An effective response to a cyber incident is essential to minimize any damage that might be caused. DHS and US-CERT have a role in helping agencies detect, report, and respond to cyber incidents.
GAO was asked to review federal agencies' ability to respond to cyber incidents. To do this, GAO reviewed the extent to which (1) federal agencies are effectively responding to cyber incidents and (2) DHS is providing cybersecurity incident assistance to agencies. To do this, GAO used a statistical sample of cyber incidents reported in fiscal year 2012 to project whether 24 major federal agencies demonstrated effective response activities. In addition, GAO evaluated incident response policies, plans, and procedures at 6 randomly-selected federal agencies to determine adherence to federal guidance. GAO also examined DHS and US-CERT policies, procedures, and practices, and surveyed officials from the 24 federal agencies on their experience receiving incident assistance from DHS.
Recommendations
GAO is making recommendations to OMB and DHS to address incident response practices governmentwide, particularly in CyberStat meetings with agencies; to the heads of six agencies to strengthen their incident response policies, plans, and procedures; and to DHS to establish measures of effectiveness for the assistance US-CERT provides to agencies. The agencies generally concurred with GAO's recommendations.
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| Department of Homeland Security | To improve the effectiveness of governmentwide cyber incident response activities, the Director of OMB and Secretary of Homeland Security should address agency incident response practices governmentwide, in particular through CyberStat meetings, such as emphasizing the recording of key steps in responding to an incident. |
Closed – Implemented
In 2016, we verified that OMB and DHS, in response to our recommendation, addressed agency incident response practices during CyberStat meetings through the use of presentation templates and processes which emphasize the recording of key steps in responding to an incident.
|
| Office of Management and Budget | To improve the effectiveness of governmentwide cyber incident response activities, the Director of OMB and Secretary of Homeland Security should address agency incident response practices governmentwide, in particular through CyberStat meetings, such as emphasizing the recording of key steps in responding to an incident. |
Closed – Implemented
In 2016 we verified that OMB and DHS, in response to our recommendation, addressed agency incident response practices during CyberStat meetings through the use of presentation templates and processes which emphasize the recording of key steps in responding to an incident.
|
| Department of Energy | To improve the effectiveness of cyber incident response activities, the Secretary of Energy should revise policies for incident response to include requirements for defining the incident response team's level of authority, prioritizing the severity ratings of incidents based on impact and establishing measures of performance. |
Closed – Implemented
In 2016, we verified that DOE, in response to our recommendation, issued a policy that included requirements for defining the incident response team's level of authority, prioritized the severity ratings of incidents based on impact, and established measures of performance.
|
| Department of Energy | To improve the effectiveness of cyber incident response activities, the Secretary of Energy should develop incident response procedures that provide instructions for containing incidents and revise procedures for incident response to prioritize the handling of incidents by impact. |
Closed – Implemented
In 2016, we verified that DOE, in response to our recommendation, provided instructions for the immediate shutdown of the system, the blocking of ports and the blocking of Internet protocol addresses so that incidents can be contained. In addition, DOE has revised its procedures for prioritizing the handling incidents by impact.
|
| Department of Energy | To improve the effectiveness of cyber incident response activities, the Secretary of Energy should fully test the department's incident response capability. |
Closed – Implemented
In 2016, we verified that DOE, in response to our recommendation, fully tested the department's incident response capability by performing a Tabletop exercise of its incident response plan.
|
| Department of Energy | To improve the effectiveness of cyber incident response activities, the Secretary of Energy should establish clear requirements to ensure the department's incident response personnel are trained. |
Closed – Implemented
In 2016, we verified that DOE, in response to our recommendation, established clear requirements by developing a new incident training module that ensures the department's incident response personnel are trained.
|
| Department of Justice | To improve the effectiveness of cyber incident response activities, the Attorney General of the United States should revise policies for incident response by including requirements for defining the incident response team's level of authority, and prioritizing the severity ratings of incidents for unclassified systems, based on impact. |
Closed – Implemented
We verified that DOJ, in response to our recommendation, revised its Incident Reporting Handbook to include requirements for defining the incident response team's level of authority and prioritizing the severity ratings of incidents based on impact for unclassified systems.
|
| Department of Justice | To improve the effectiveness of cyber incident response activities, the Attorney General of the United States should revise the department's incident response plan to include quantifiable metrics for measuring the incident response capability and its effectiveness. |
Closed – Implemented
We verified that DOJ, in response to our recommendation, revised its Computer System Incident Response Plan to include metrics for measuring the incident response capability and its effectiveness.
|
| Department of Justice | To improve the effectiveness of cyber incident response activities, the Attorney General of the United States should develop incident response procedures that provide instructions for prioritizing the handling of incidents by impact. |
Closed – Implemented
We verified that DOJ, in response to our recommendation, developed and documented procedures for prioritizing the handling of incidents where a severity classification would be used to map the type of incident to a predefined priority, such as critical, high, medium, and low, for handling the incident.
|
| Department of Justice | To improve the effectiveness of cyber incident response activities, the Attorney General of the United States should ensure that all components test their incident response capability. |
Closed – Implemented
We verified that DOJ, in response to our recommendation, had components test their incident response capability by utilizing test scenarios.
|
| Department of Transportation | To improve the effectiveness of cyber incident response activities, the Secretary of Transportation should revise policies for incident response by including requirements for prioritizing the severity ratings of incidents based on impact and establishing measures of performance. |
Closed – Implemented
In 2016 we verified that DOT, in response to our recommendation, revised its incident response policy to include requirements for prioritizing the severity ratings of incidents based on impact and established performance measures.
|
| Department of Transportation | To improve the effectiveness of cyber incident response activities, the Secretary of Transportation should revise the department's incident response plan to include senior management's approval, and metrics for measuring the incident response capability and its effectiveness. |
Closed – Implemented
In 2016, we verified that DOT's chief information security officer, in response to our recommendation, signed and approved the department's incident response plan. The plan also included requirements for reporting incidents within established time frames and metrics to gauge implementation of these requirements.
|
| Department of Transportation | To improve the effectiveness of cyber incident response activities, the Secretary of Transportation should develop incident response procedures that provide instructions for prioritizing the handling of incidents by impact. |
Closed – Implemented
In 2016, we verified that DOT, in response to our recommendation, developed and documented incident response procedures on how to prioritize the handling of incidents by impact.
|
| Department of Transportation | To improve the effectiveness of cyber incident response activities, the Secretary of Transportation should test the department's incident response capability. |
Closed – Implemented
In 2016, we verified that DOT, in response to our recommendation, tested its incident response capability by performing quarterly incident response exercises.
|
| Department of Housing and Urban Development | To improve the effectiveness of cyber incident response activities, the Secretary of Housing and Urban Development should finalize policies for incident response and include in those policies requirements for prioritizing the severity ratings of incidents and establishing measures of performance. |
Closed – Implemented
In 2015 we verified that HUD, in response to our recommendation, finalized policies for incident response and included in those policies requirements for prioritizing the severity ratings of incidents and establishing measures of performance.
|
| Department of Housing and Urban Development |
Priority Rec.
To improve the effectiveness of cyber incident response activities, the Secretary of Housing and Urban Development should develop a departmentwide incident response plan that includes, among other elements, senior management's approval, and metrics for measuring the incident response capability and its effectiveness. |
Closed – Implemented
In 2016, we verified that HUD's senior management, in response to our recommendation, developed and approved a departmentwide incident response policy and plan.
|
| Department of Housing and Urban Development | To improve the effectiveness of cyber incident response activities, the Secretary of Housing and Urban Development should revise procedures for incident response to prioritize the handling of incidents by impact. |
Closed – Implemented
In 2015 we verified that HUD, in response to our recommendation, revised its procedures for incident response to prioritize the handling of incidents by impact.
|
| Department of Housing and Urban Development | To improve the effectiveness of cyber incident response activities, the Secretary of Housing and Urban Development should test the department's incident response capability. |
Closed – Implemented
In 2015 we verified that HUD, in response to our recommendation, tested the department's incident response capability.
|
| National Aeronautics and Space Administration | To improve the effectiveness of cyber incident response activities, the Administrator of the National Aeronautics and Space Administration should revise policies for incident response by including requirements for establishing measures of performance. |
Closed – Implemented
In 2016 we verified that NASA, in response to our recommendation, revised its Information Security Incident Response and Management Handbook to ensure it included measures of performance.
|
| National Aeronautics and Space Administration | To improve the effectiveness of cyber incident response activities, the Administrator of the National Aeronautics and Space Administration should revise the agency's incident response plan to include metrics for measuring the incident response capability and its effectiveness. |
Closed – Implemented
In 2015 we verified that NASA, in response to our recommendation, revised its Incident Response and Management Handbook to ensure it included metrics for measuring the incident response capability and its effectiveness.
|
| National Aeronautics and Space Administration | To improve the effectiveness of cyber incident response activities, the Administrator of the National Aeronautics and Space Administration should test the agency's incident response capability. |
Closed – Implemented
In 2015 we verified that NASA, in response to our recommendation, tested the department's incident response capability by way of a table top exercise.
|
| National Aeronautics and Space Administration | To improve the effectiveness of cyber incident response activities, the Administrator of the National Aeronautics and Space Administration should establish clear requirements for training the agency's incident response personnel. |
Closed – Implemented
In 2016 we verified that NASA, in response to our recommendation, established clear requirements for training the agency's incident response personnel.
|
| Department of Veterans Affairs | To improve the effectiveness of cyber incident response activities, the Secretary of Veterans Affairs should revise policies for incident response by including requirements for defining the incident response team's level of authority, and establishing measures of performance. |
Closed – Implemented
We verified that VA, in response to our recommendation, revised its Handbook policy to include defining the level of authority for the incident response team and establishing measures of performance.
|
| Department of Veterans Affairs | To improve the effectiveness of cyber incident response activities, the Secretary of Veterans Affairs should revise the department's incident response plan to include metrics for measuring the incident response capability and its effectiveness. |
Closed – Implemented
We verified that VA, in response to our recommendation, revised its Cyber Security Incident Response Plan to include metrics for measuring the incident response capability and its effectiveness.
|
| Department of Veterans Affairs | To improve the effectiveness of cyber incident response activities, the Secretary of Veterans Affairs should test the department's incident response capability. |
Closed – Implemented
We verified that VA, in response to our recommendation, tested the department's incident response capability.
|
| Department of Veterans Affairs | To improve the effectiveness of cyber incident response activities, the Secretary of Veterans Affairs should train the department's incident response personnel per the agency's requirements. |
Closed – Implemented
We verified that VA, in response to our recommendation, provided training to personnel with incident response responsibilities.
|
| Department of Homeland Security | To improve the cyber incident response assistance provided to federal agencies, the Secretary of Homeland Security should establish measures to evaluate the effectiveness of the cyber incident assistance it provides to agencies. |
Closed – Implemented
In 2015, we verified that DHS, in response to our recommendation, established performance measures to evaluate the effectiveness of the cyber incident assistance it provides to agencies. Specifically, DHS's US-CERT Incident Response Satisfaction Evaluation questionnaire provides agencies a platform to rate the effectiveness of the cyber incident assistance it received from DHS.
|
| Department of Energy | To improve the effectiveness of cyber incident response activities, the Secretary of Energy should revise the department's incident response plan to include metrics for measuring the incident response capability and its effectiveness. |
Closed – Implemented
In 2016, we verified that DOE, in response to our recommendation, included requirements for reporting incidents within established time frames and metrics to gauge implementation of these requirements.
|