Cybersecurity: Implementation of Executive Order Requirements is Essential to Address Key Actions
Fast Facts
In 2021, the President issued an executive order to help protect federal IT systems from cyberattacks. The order contains 55 leadership and oversight requirements. DHS's Cybersecurity and Infrastructure Security Agency, the National Institute of Standards and Technology, and the Office of Management and Budget are responsible for implementing them.
These agencies have fully completed 49 of 55 requirements. Remaining requirements include improving software that is critical to the supply chain and ensuring that other agencies have sufficient resources to carry out the order.
We recommended that these agencies implement the order's remaining requirements.
Highlights
What GAO Found
Among its 115 provisions, the order contains 55 leadership and oversight requirements (actions to assist or direct the federal agencies in implementing the order). The three key agencies primarily responsible for the implementation of these requirements are the Department of Homeland Security's (DHS) Cybersecurity and Infrastructure Security Agency, the National Institute of Standards and Technology, and the Office of Management and Budget (OMB). These agencies fully completed 49 of the 55 requirements, partially completed five, and one was not applicable (see table below). Completing these requirements would provide the federal government with greater assurance that its systems and data are adequately protected.
Progress in Implementing Executive Order 14028 Leadership and Oversight Requirements, as of March 2024
|
Executive Order Section |
Number of requirements that are: |
|||
|---|---|---|---|---|
|
Fully complete |
Partially complete |
Not complete |
Not applicable |
|
|
Removing Barriers to Sharing Threat Information |
6 |
1 |
— |
— |
|
Modernizing Federal Government Cybersecurity |
8 |
— |
— |
— |
|
Enhancing Software Supply Chain Security |
16 |
1 |
— |
— |
|
Establishing a Cyber Safety Review Board |
6 |
1 |
— |
— |
|
Standardizing Playbook for Responding to Cybersecurity Vulnerabilities and Incidents |
4 |
— |
— |
1 |
|
Improving Detection of Cybersecurity Vulnerabilities and Incidents |
7 |
1 |
— |
— |
|
Improving the Federal Government's Investigative and Remediation Capabilities |
2 |
1 |
— |
— |
|
Total |
49 |
5 |
— |
1 |
Legend: fully complete = those where the actions required are complete; partially complete = those where GAO judged significant, but not complete, progress to be made in completing a requirement; not complete = those where the progress made toward completion was minimal and not significant. The symbol “—” indicates that no requirements received this score.
Source: GAO analysis of documentation from the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency; the National Institute of Standards and Technology; and the Office of Management and Budget. | GAO-24-106343
GAO's High-Risk Series identified ten action areas critical to addressing the nation's cybersecurity challenges. The order's requirements directly address five of these ten critical action areas, while each of the other five could be addressed by other recently-issued strategies, frameworks, and guidance. For example, the cyber workforce and critical infrastructure action areas could potentially be addressed by the National Cyber Workforce Strategy and National Cybersecurity Strategy, if implemented effectively. In addition to the ten action areas, six federal chief information security officers (CISO) identified additional cyber issue areas they considered to be challenging, such as uncertainty in cyber funding, creating a culture that prioritizes cybersecurity as an essential mission component, and focus on cyber compliance versus cyber resilience. The order's requirements also address each of these additional cyber issue areas identified by CISOs. For example, the order addresses uncertainties in cyber funding by requiring OMB to assist agencies in having sufficient resources to implement its requirements.
Why GAO Did This Study
For more than 25 years, GAO has identified information security as a high-risk area. During this period, the threat of cyber-based attacks on IT systems has continued to grow. In 2021, the President issued Executive Order 14028 to enhance federal resilience in protecting IT systems. The order contains requirements for federal agencies to improve their ability to identify, protect against, and respond to malicious cyber threats.
The Federal Information Security Modernization Act of 2014 includes a provision for GAO to periodically report on agencies' progress in improving their cybersecurity practices. This report examines the extent to which (1) agencies have implemented Executive Order 14028 leadership and oversight-related requirements and (2) the order has addressed federal cybersecurity challenges.
To do so, GAO identified government-wide leadership and oversight requirements in the order and the key agencies required to perform them. GAO then reviewed the agencies' implementation of those requirements. GAO also compared challenges identified in its work and in discussions with federal CISOs against the content of the order to determine whether they were addressed.
Recommendations
GAO is making two recommendations to DHS and three to OMB to fully implement the order's requirements. DHS agreed with recommendations to further define critical software and improve operations of the Cyber Safety Review Board. OMB stated it had no comments on GAO's report.
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| Department of Homeland Security | The Secretary of Homeland Security should direct the Director of CISA to issue, in a timely manner, its list of software and software product categories that are considered critical software. (Recommendation 1) |
The Department of Homeland Security, through CISA, stated that it generally agreed with the findings and recommendations in our report. In November 2024, we verified that CISA published a list of critical software examples and guidance on how agencies are to use this list, both of which were made available to federal agencies. These documents identify a list of example software products that fall within each of the 11 categories of critical software. Accordingly, we consider this recommendation to be implemented. By taking these steps, agencies have an increased assurance that software vendors are following required criteria and guidelines to enhance the security of software.
|
| Department of Homeland Security | The Secretary of Homeland Security, through the Director of the CISA, should direct the Cyber Safety Review Board to document steps taken or planned to implement the recommendations provided to the President for improving the board's operations. (Recommendation 2) |
The Department of Homeland Security, through CISA, stated that it generally agreed with the finding and recommendations in our report. As of November 2024, the department stated that CISA's Stakeholder Engagement Division has taken some steps such as establishing the Office of the National Cyber Director as a standing member of the Cyber Safety Review Board. According to CISA, the Stakeholder Engagement Division is responsible for supporting the Cyber Safety Review Board and plans to fully implement the recommendation by December 2024. Once the department has taken action, we plan to verify whether implementation has occurred.
|
| Office of Management and Budget | The Director of OMB should demonstrate that the office has conducted, with pertinent federal agencies, cost analyses for the implementation of recommendations related to the sharing of threat information, as defined in the order. (Recommendation 3) |
OMB neither agreed nor disagreed with our recommendation. As of November 2024, OMB has not provided documentation of actions to address this recommendation. Once the agency states that it has taken action, we plan to verify whether implementation has occurred.
|
| Office of Management and Budget | The Director of OMB should demonstrate that the office has coordinated with pertinent federal agencies regarding resourcing needs for the implementation of an endpoint detection and response capability, as defined in the order. (Recommendation 4) |
OMB neither agreed nor disagreed with our recommendation. As of November 2024, OMB has not provided documentation of actions to address this recommendation. Once the agency states that it has taken action, we plan to verify whether implementation has occurred.
|
| Office of Management and Budget | The Director of OMB should demonstrate that the office has coordinated with pertinent federal agencies regarding resourcing needs for logging, log retention, and log management capabilities, as defined in the order. (Recommendation 5) |
OMB neither agreed nor disagreed with our recommendation. As of November 2024, OMB has not provided documentation of actions to address this recommendation. Once the agency states that it has taken action, we plan to verify whether implementation has occurred.
|