Most federal agencies examined in a recent study by the Government Accountability Office lack a consistent, documented approach in responding to cybersecurity incidents, which it said could put government data and IT systems at greater risk.

The report studied responses by the 24 major executive branch agencies to a sample of security incidents reported in fiscal 2012. It found that "the 24 agencies did not effectively or consistently demonstrate actions taken in response to a detected incident in about 65 percent of reported incidents."

Although agencies strive to prevent security breaches in IT systems, incidents -- which can range from an alert of suspicious activity to a data breach -- are inevitable and are on the increase. There was a significant ruse in the number of incidents reported to the United States Computer Emergency Readiness Team (US-CERT) in fiscal 2013, jumping from between 34,000 to 35,000 per year for the previous three years to more than 46,000 in 2013. Agencies are required under the Federal Information Security Management Act to have plans for reporting and responding to incidents, but none of six agencies studied in depth by GAO had a complete plan in place.

[Can DOD and industry align their investment roadmaps? Read What DOD's Joint Information Environment Needs To Succeed.]

The report cites incidents of incomplete follow-up in responses and found that most agencies failed to consistently consider the potential impact of incidents.

The Homeland Security Department, responding to GAO recommendations, said it plans to strengthen its oversight of agencies' incident response practices this year.

{image 1}

Despite these failings, the report does not specifically fault the effectiveness of agency responses. The report addressed process rather than outcome. GAO found that agencies contained the majority of threats in the incidents studied -- about 75% -- and that they eradicated 77% of threats.

Systems were restored to operational states following an incident 81 percent of the time, but remedial actions were not consistently documented.

"Without complete policies, plans, and procedures, along with appropriate oversight of response activities, agencies face reduced assurance that they can effectively respond to cyber incidents," the report warns.

The report follows a GAO report from earlier this year that found that agency responses to breaches of personally identifiable information were inconsistent. New guidelines on handling such breaches from the Office of Management and Budget (OMB) are expected to be phased in by the end of the year.

OMB has primary authority for overseeing FISMA, including incident response requirements, but much of the day-to-day responsibility has been delegated to DHS. US-CERT, a part of DHS, is the central point for agency support in incident response.

CyberStat reviews -- face-to-face meetings of DHS and administration cybersecurity officials with agency representatives to ensure accountability -- are the primary vehicle for cybersecurity oversight. The reviews do not address incident response, however, and only seven agencies received full reviews in 2013. "Further oversight, such as that provided by OMB's and DHS's CyberStat review process, may be warranted," GAO recommended.

DHS agreed that CyberStat represents an important opportunity to attain situational awareness, and said that it will assess the current state of incident response capabilities going forward.

GAO also made 25 recommendations to the six agencies studied in depth for the report (the Departments of Energy, Justice, Transportation, Housing and Urban Development, and Veterans Affairs, and NASA), primarily calling for them to revise policies, plans and procedures to more fully document required steps and outcomes.

Find out how a government program is putting cloud computing on the fast track to better security. Also in the Cloud Security issue of InformationWeek Government: Defense CIO Teri Takai on why FedRAMP helps everyone.