OMB Releases Cybersecurity Report On Federal Agencies

King & Spalding

On May 30, the Office of Management and Budget (“OMB”) released the Federal Cybersecurity Risk Determination Report and Action Plan (the “Report”). The Report is the result of investigations ordered by President Trump pursuant to Presidential Executive Order 13800, Strengthening of Cybersecurity of Federal Networks and Critical Infrastructure (the “Order”), which made clear that agency heads will be held accountable for protecting their networks and called on government to reduce the threat from cyberattacks. According to the Report, seventy-one of the ninety-six agencies investigated were deemed to be either “At Risk” or “High Risk,” with twenty-five agencies being deemed as “Managing Risk.”

The Report defined an “At Risk” agency as having “[s]ome essential policies, procedures and tools . . . in place to mitigate overall cybersecurity risk, but significant gaps remain,” whereas a “High Risk” agency was defined as not having “[k]ey fundamental cybersecurity policies, processes, and tools . . . in place or [having not been] deployed sufficiently.”  Those agencies which were deemed to be “Managing Risk” have instituted required policies, procedures and tools and actively manage their cybersecurity risks. The Report did not detail which agencies were assigned the various risk assessment levels; however, Stewart Baker, a former Assistant Secretary for Policy at the Department of Homeland Security, told the Washington Post that, “the scope of the issues described in the [R]eport makes it clear that both small and large agencies alike have a ton of work to do.”

Although the Report offered four core recommendations for ameliorative action, it nonetheless noted that, “[f]ederal agencies do not have the visibility into their networks to effectively detect data exfiltration attempts and respond to cybersecurity incidents. Simply put, agencies cannot detect when large amounts of information leave their networks, which is particularly alarming in the wake of some of the high-profile incidents across government and industry in recent years.” The Report also noted that only sixteen percent of agencies achieved the government-wide target for encrypting data at rest and that, “it is easy to see government’s priorities [with respect to data encryption] must be realigned.”

Whether the Report spurs agencies to act is yet to be seen, but the OMB stated that it will take necessary actions to implement various cybersecurity frameworks and help shape agency budgets for upcoming years to account for the threats assessed.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© King & Spalding | Attorney Advertising

Written by:

King & Spalding

King & Spalding on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.