Only 59 percent of agencies have processes to communicate cyber risks across their enterprises even though OMB, GAO and IGs have been urging agencies for years to assess and mitigate those risks in the context of other risks, a White House report has said.
“OMB has repeatedly emphasized that managing risk effectively requires timely data reporting and communication flows so that employees at all levels in the organization have the information necessary to block attacks in their area of responsibility,” said a government-wide report based on risk assessments conducted by individual agencies.
The government “must implement a timely approach for communicating cyber threats and risks, and for appropriately prioritizing the people, processes, and technology resources necessary to defend agency networks,” it said.
Agencies “must adopt a common approach to identifying risks, as well as budgeting for and allocating resources to address those risks,” it said, adding that cybersecurity professionals “face challenges providing readily digestible information to senior leaders within their agency to manage their cybersecurity risk.”
Further, while they have widely adopted multi-factor authentication for their employees, only 55 percent of agencies limit access based on user attributes and roles and only 57 percent review and track administrative privileges.