GAO reports that Cybersecurity executive order requirements are almost finished
Report Highlights Unfinished Requirements from 2021 Executive Order on Cybersecurity
The Government Accountability Office (GAO) has released a report indicating that just a few requirements from President Joe Biden’s 2021 executive order on improving the nation’s cybersecurity remain unfinished by the agencies responsible for implementing them. Out of the 55 requirements aimed at safeguarding federal IT systems from cyberattacks, only six are still in progress.
The Cybersecurity and Infrastructure Security Agency, the National Institute of Standards and Technology, and the Office of Management and Budget have completed 49 of the requirements, partially finished five, and deemed one as “not applicable.” The GAO emphasized that completing these requirements would provide the federal government with greater assurance that its systems and data are adequately protected.
One area where OMB fell short was in incorporating a required cost analysis into its annual budget process for removing barriers to threat information. Additionally, OMB was unable to demonstrate that agencies had adequate resources for implementing approaches for the deployment of endpoint detection and response.
CISA also has work to do in identifying and making available a list of critical software in use or in the acquisition process. The agency has not fully implemented recommendations on how to improve the Cyber Safety Review Board’s operations, which has faced criticism for its lack of authority and independence.
Despite these shortcomings, federal agencies have made significant progress in implementing the EO’s requirements, including developing procedures for improving the sharing of cyber threat information and guidance on security measures for critical software. The GAO issued recommendations to the Department of Homeland Security and OMB for full implementation of the EO’s requirements.
Overall, while progress has been made, there are still areas where improvement is needed to ensure the effective protection of federal IT systems from cyber threats.
