On May 30, the Office of Management and Budget (“OMB”) released the Federal Cybersecurity Risk Determination Report and Action Plan (the “Report”). The Report is the result of investigations ordered by President Trump pursuant to Presidential Executive Order 13800, Strengthening of Cybersecurity of Federal Networks and Critical Infrastructure (the “Order”), which made clear that agency heads will be held accountable for protecting their networks and called on government to reduce the threat from cyberattacks. According to the Report, seventy-one of the ninety-six agencies investigated were deemed to be either “At Risk” or “High Risk,” with twenty-five agencies being deemed as “Managing Risk.”
The Report defined an “At Risk” agency as having “[s]ome essential policies, procedures and tools . . . in place to mitigate overall cybersecurity risk, but significant gaps remain,” whereas a “High Risk” agency was defined as not having “[k]ey fundamental cybersecurity policies, processes, and tools . . . in place or [having not been] deployed sufficiently.” Those agencies which were deemed to be “Managing Risk” have instituted required policies, procedures and tools and actively manage their cybersecurity risks. The Report did not detail which agencies were assigned the various risk assessment levels; however, Stewart Baker, a former Assistant Secretary for Policy at the Department of Homeland Security, told the Washington Post that, “the scope of the issues described in the [R]eport makes it clear that both small and large agencies alike have a ton of work to do.”
Although the Report offered four core recommendations for ameliorative action, it nonetheless noted that, “[f]ederal agencies do not have the visibility into their networks to effectively detect data exfiltration attempts and respond to cybersecurity incidents. Simply put, agencies cannot detect when large amounts of information leave their networks, which is particularly alarming in the wake of some of the high-profile incidents across government and industry in recent years.” The Report also noted that only sixteen percent of agencies achieved the government-wide target for encrypting data at rest and that, “it is easy to see government’s priorities [with respect to data encryption] must be realigned.”
Whether the Report spurs agencies to act is yet to be seen, but the OMB stated that it will take necessary actions to implement various cybersecurity frameworks and help shape agency budgets for upcoming years to account for the threats assessed.