Agencies need to improve their cyber incident response practices, GAO has said.
It said 24 major federal agencies did not consistently demonstrate that they are effectively responding to cyber incidents, and that based on a statistical sample of cyber incidents reported in fiscal 2012, those agencies did not completely document actions taken in response to detected incidents in about 65 percent of cases.
For example, agencies identified the scope of an incident in the majority of cases, but frequently did not demonstrate that they had determined the impact of an incident, and they did not consistently demonstrate how they had handled other key activities, such as whether actions to prevent the reoccurrence of an incident were taken, according to GAO-14-354.
It said that although six selected agencies reviewed in depth had developed parts of policies, plans, and procedures to guide their incident response activities, their efforts were not comprehensive or fully consistent with federal requirements.
Further, DHS and OMB conduct CyberStat reviews, which are intended to help federal agencies improve their information security posture, but the reviews have not addressed agencies’ cyber incident response practices, GAO said.
GAO called on OMB and DHS to address incident response practices government-wide, particularly in CyberStat meetings with agencies, called for stronger incident response practices and asked DHS to establish measures of effectiveness for the assistance the US Computer Emergency Readiness Team provides to agencies.
