This week, the Government Accountability Office (GAO) published a report on “Cybersecurity - Implementation of Executive Order Requirements Is Essential to Address Key Actions”. The report looks at the implementation of EO 14028 in CISA, NIST, and OMB.
The table below shows the GAO’s assessment of EO 14028 leadership and oversight requirements (see Appendix III of the report for description of the individual requirements):
|
Executive Order Section |
Number of
requirements that are: |
|||
|
Fully
complete |
Partially
complete |
Not
complete |
Not
applicable |
|
|
Removing Barriers to Sharing
Threat Information |
6 |
1 |
— |
— |
|
Modernizing Federal Government
Cybersecurity |
8 |
— |
— |
— |
|
Enhancing Software Supply Chain
Security |
16 |
1 |
— |
— |
|
Establishing a Cyber Safety
Review Board |
6 |
1 |
— |
— |
|
Standardizing Playbook for
Responding to Cybersecurity Vulnerabilities and Incidents |
4 |
— |
— |
1 |
|
Improving Detection of
Cybersecurity Vulnerabilities and Incidents |
7 |
1 |
— |
— |
|
Improving the Federal Government's
Investigative and Remediation Capabilities |
2 |
1 |
— |
— |
|
Total |
49 |
5 |
— |
1 |
The report makes a total of five recommendations (pg 44), two for DHS and three for the OMB:
• The Secretary of Homeland
Security should direct the Director of CISA to issue, in a timely manner, its
list of software and software product categories that are considered critical
software. (Recommendation 1)
• The Secretary of Homeland
Security, through the Director of the CISA, should direct the Cyber Safety
Review Board to document steps taken or planned to implement the
recommendations provided to the President for improving the board’s operations.
(Recommendation 2)
• The Director of OMB should
demonstrate that the office has conducted, with pertinent federal agencies,
cost analyses for the implementation of recommendations related to the sharing
of threat information, as defined in the order. (Recommendation 3)
• The Director of OMB should
demonstrate that the office has coordinated with pertinent federal agencies
regarding resourcing needs for the implementation of an endpoint detection and
response capability, as defined in the order. (Recommendation 4)
• The Director of OMB should
demonstrate that the office has coordinated with pertinent federal agencies
regarding resourcing needs for logging, log retention, and log management
capabilities, as defined in the order. (Recommendation 5)
Posts
No comments:
Post a Comment