Just three of the 23 civilian Chief Financial Officer Act agencies have met the cyber event logging standards called out in President Joe Biden’s 2021 cybersecurity executive order and a subsequent Office of Management and Budget memo, a new Government Accountability Office report found.
The Department of Agriculture, the National Science Foundation and the Small Business Administration all hit OMB’s August 2023 deadline to reach advanced (tier 3) status for logging, meaning the agencies are fully compliant with requirements for implementation, centralized access and log categories.
Agriculture and SBA officials told GAO that they were able to meet the logging due date thanks to internal efforts that preceded OMB’s August 2021 memo. An NSF official, meanwhile, credited “close coordination and enhanced licensing with its security incident and event management provider” for its timely compliance.
While Agriculture, NSF and SBA are outliers, the GAO report noted that all CFO Act agencies have made progress on the incident response requirements. Still, it’s critical that the 20 agencies that haven’t yet reached advanced levels do so quickly, the report emphasizes.
“Until the agencies implement all event logging requirements, the federal government’s ability to fully detect, investigate, and remediate cyber threats will be constrained,” the GAO report stated.
As of August 2023, the GAO reported that none of the remaining agencies were at intermediate (tier 2) levels on logging, while three — the General Services Administration, the Social Security Administration and USAID — had achieved basic (tier 1) status. USAID said in an email to FedScoop that it has since reached intermediate status, and told the GAO that it should be fully compliant by the end of this year. One unnamed agency is on the same timeline as USAID, while another said it would complete its requirements sometime in fiscal 2024.
Of the remaining 17 agencies in the not effective (0) logging tier, seven said they would reach advanced logging status within the fiscal 2024-2026 timeframe, and 10 did not share an updated timeline for completing the requirements.
GAO reported three primary impediments cited by agencies who have so far fallen short of the ability to “fully prepare to respond to cybersecurity incidents”: lack of staff, event logging technical challenges and limitations in cyber threat information sharing.
“Federal entities have ongoing efforts that can assist in addressing these challenges,” the GAO report said. “These efforts include onsite cyber incident response assistance from [the Cybersecurity and Infrastructure Security Agency], event logging workshops and guidance, and enhancements to a cyber threat information sharing platform.”
Federal IT officials have also cited a lack of funding as a barrier to fully meeting logging benchmarks. Paul Blahusch, the Department of Labor’s chief information security officer, said during Scoop News Group’s CyberTalks event last month that addressing enhanced logging standards had been challenging due to the fact that it was “potentially going to cost us quite a bit of money” and the agency hadn’t received any additional appropriations for the work.
GAO noted two long-term efforts tied to the logging issue that should be rolled out in fiscal 2024: the implementation of the National Workforce and Education Strategy and a new threat intelligence platform from CISA.
The watchdog also delivered 20 recommendations to 19 agencies, 16 of which agreed with the new instructions.
“Until agencies implement all event logging requirements outlined in OMB guidance, there is increased risk that they will not have complete information on their efforts to detect, investigate, and remediate cyber threats,” GAO said. “Moreover, the federal government as a whole may lack critical information and insights for identifying potentially significant cyber threats.”
This story was updated Dec. 8 with new information on USAID’s logging progress.