OMB Told to Strengthen Agency IT Protection PlansGAO: Plans to Defend Agency IT Not Adequately Addressed
The Office of Management and Budget must do a better job in getting federal agencies to enhance their efforts to safeguard their IT assets, the Government Accountability Office said in a report issued Monday.
Under a presidential directive and OMB guidance that took effect five years ago, 18 of 24 major agencies submitted plans that were to show how they would secure their IT systems and data. OMB allowed six agencies to provide documentation in lieu of plans, saying they neither owned nor operated any IT critical infrastructures. (See box below.)
However, the GAO said in its 55-page report, the agencies' plans generally failed address 19 cyber and related requirements specified in OMB's guidance.
(List of the 19 requirements can be found at the end of this story.)
Specifically, only four of the 18 plans fully addressed all the criteria. While the other 14 plans fully addressed at least eight or more criteria, they only partially addressed or did not address others - such as prioritizing key assets and documenting a strategy to protect them - that are essential for effectively planning for the protection of cyber assets. Since the development of these plans, eight agencies whose plans did not fully meet OMB's criteria have engaged in other critical infrastructure protection planning and related efforts that addressed some, but not all, of their shortfalls.
GAO contends that OMB failed to make these plans a priority. When agencies submitted their initial plans, OMB reviewed and provided feedback, but didn't follow up to verify that agencies had revised their plans or to determine whether planning was being implemented and institutionalized. OMB attributed this to its attention being focused on other competing issues. In addition, GAO said, OMB didn't direct agencies to regularly revise their plans. GAO still sees this as a problem:
"Without more sustained leadership, management and oversight in this area, there is an increased risk that federal agencies individually, and the federal government collectively, will not, among other things, effectively identify, prioritize and protect their cyber critical assets, thus leaving them potentially vulnerable to deliberate efforts to destroy, incapacitate or exploit them."
GAO recommended that OMB direct agencies to update cyber plans to fully address OMB requirements and follow up to see that agencies ensure plans meet requirements and are being implemented. After reviewing a draft of the report, OMB concurred with GAO's recommendations.
OMB's 19 Criteria IT and Related Requirements
Summarize primary functions of the agency that rely on cyber critical infrastructure assets
- Summarize the agency's management structure, including the management responsible for the security of cyber critical infrastructure assets;
- Summarize locations and assets that support the primary functions;
- Describe the agency's current capabilities for identification of federally owned or operated cyber critical infrastructure assets;
- Describe the agency's current capabilities for assessments of cyber vulnerabilities and interdependencies;
- Describe the agency's current capabilities for prioritization of federal cyber assets;
- Describe the agency's current capabilities for adequately protecting cyber critical infrastructure assets<;/l>
- Summarize the agency's capability to respond to and recover from events that impair the ability to perform mission critical functions at or using federal cyber critical infrastructure assets;
- Summarize the agency's ability to identify gaps in carrying out any of the activities discussed above;
- Describe the agency's process for determining budget and personnel requirements for cyber critical infrastructure activities;
- Describe the agency's process for ensuring independent oversight of cyber CIP programs;
- Describe any corrective actions identified for cyber-related issues and if follow-on actions were taken; and
- Determine whether corrective actions for IT systems considered critical infrastructure were included in FISMA plans of action and milestones.
Identifying prioritized list of the agency's cyber-related critical infrastructure
- Include a prioritized list of the agency's cyber-related infrastructure assets.
Developing a long-term protective strategy;
- Describe the agency's long-term protective strategy to protect the cyber critical infrastructure identified in the plan;
- Describe performance metrics for the CIP program;
- Describe the status of major initiatives that are underway or planned for addressing cyber-related deficiencies;
- Describe milestones for the initiatives described and target dates for completing each milestone; and
- Discuss any specific management, technical, or operational challenges with regard to implementation of the plan.