Published: Dec 04, 2023.
Publicly Released: Dec 04, 2023.
Federal agencies have made progress in preparing for and responding to cyber threats. For instance, agencies have improved their ability to detect, analyze, and handle incidents like ransomware attacks and data breaches.
However, some agencies have not met the federal requirements for event logging—i.e., ensuring that cybersecurity incidents are tracked and that these tracking logs are appropriately retained and managed.
Information from federal IT logs is invaluable in the detection, investigation, and remediation of cyberthreats. We recommended that federal agencies fully implement requirements to log cybersecurity events, and more.
What GAO Found
Federal agencies rely upon the following for cybersecurity incident response:
- tools, such as endpoint detection and response solutions;
- services, such as threat hunting or cyber threat intelligence provided by the Cybersecurity and Infrastructure Security Agency (CISA) and third party firms; and
- resources, such as skilled staff and funding.
The 23 civilian Chief Financial Officers (CFO) Act of 1990 agencies have made progress in cybersecurity incident response preparedness by taking steps to standardize their incident response plans and demonstrating improvement in their capabilities for incident detection, analysis, and handling (see table).