Addressing GAO’s findings on national cyber risk management gaps

This post first appeared on Federal News Network. Read the original article.

Cyber risk management is vital for protecting the nation’s data assets from cyber adversaries. Yet the Government Accountability Office uncovered security gaps in risk management as the agency analyzed the effectiveness of the 2023 National Cybersecurity Strategy.

GAO has pointed out the need for robust guidance to assist federal agencies in evaluating, prioritizing and mitigating cybersecurity risks. This guidance should facilitate coordinated efforts with key players, including state and local governments, the private sector and international allies. The GAO’s report emphasizes the barriers these agencies encounter when enacting cybersecurity risk management processes, such as recruiting and retaining skilled staff, handling multiple priorities concurrently and standardizing cyber capabilities across various platforms and systems.

Furthermore, there is a pressing call for federal agencies to refine their cyber risk evaluation methods. The existing system predominantly relies on the Common Vulnerability Scoring System (CVSS), which assesses the criticality of security vulnerabilities within software applications. Nevertheless, this system comes with its own set of restrictions. Notably, it employs a simplistic, binary threshold that dictates when agencies should implement patches — for instance, mandating updates to systems whenever a vulnerability reaches a score of eight or higher. This method could benefit from a more nuanced approach considering multiple factors, ensuring a more sophisticated and effective response to cybersecurity threats.

However, this does not indicate a cyberattack’s actual risk or impact. It also does not consider the system’s context or environment. For example, a vulnerability may have a high score but is not exploitable or relevant to a specific system. A vulnerability might have a low score, but it may become more severe or widespread over time.

Therefore, federal agencies should adopt a more comprehensive and accurate approach to cyber risk scoring that uses multiple sources and data types to assess the risk and impact of a cyberattack. For example, agencies should draw cyber risk insights from threat intelligence, asset inventory, network topology and vulnerability management tools. Agencies should also use a continuous and adaptive process to monitor and update their cyber risk scores.

Developing a roadmap for advanced cyber risk management

Transitioning to more comprehensive cyber risk management requires a substantial shift in agency culture, personnel mindsets and cyber hygiene practices. Federal personnel must be able to adapt their working methods and effectively utilize the supporting technological infrastructure.

Additionally, they require accurate and appropriately formatted intelligence to ensure proper risk prioritization. Overcoming these hurdles demands a considerable investment of resources and sustained cooperation and dedication from all stakeholders, including federal officials, industry partners and personnel.

Considering these challenges, federal agencies should pursue the following steps to bridge the security gaps in their cyber risk management strategies:

  • Adjust cyber policies to align with a risk-based approach: Agencies should adjust their policies to align with a risk-based approach. This approach aligns with GAO’s recommendation to provide clear guidance on the roles and responsibilities of federal agencies and other stakeholders. It supports the National Cybersecurity Strategy’s pillar of defending critical infrastructure.
  • Identify and incorporate relevant risk factors: Agency leaders should decide what risk factors their security teams need to include. Those factors may involve collecting information from the most recent attack or depending on the type of adversaries targeting the agency, such as Advanced Persistent Threat (APT) groups or nation-state attackers. That information should be factored into the team’s analysis in this constantly changing threat landscape.
  • Define and monitor threat tolerance levels: Agencies must determine their risk threshold for specific vulnerabilities. If the agency is not above those thresholds, it can wait or delay addressing the vulnerability to focus on higher-risk assets or vulnerabilities. This information will help drive security policies and procedures.
  • Train and equip security teams with the right tools and data: Security teams should undergo training on the algorithms and formulas needed to identify and determine high risks. Standardization of these algorithms and formulas is essential for risk management.
  • Combine functions or create a fusion center: Penetration testing, threat intelligence and vulnerability management teams must collaborate in the same security operations center. A vulnerability management analyst should be able to communicate with the Red Team, the penetration testers, to see how they exploit a vulnerability or talk with threat intelligence experts about the latest APT group. If done correctly, this can tighten risk-based decision-making.
  • Measure performance: If risk-based cybersecurity is to be effective, agencies must be able to measure performance to determine how well their cyber risk management programs are being executed. Agency leaders must know if their risk indicators are increasing or decreasing. Only a few agencies can measure their performance. Agency decision-makers need a mix of forward-looking and measurable performance data to analyze every three to six months to see how their agency is performing related to cyber risk management and find areas for improvement.

Deploy AI and automation for cyber risk assessments, risk prioritization and regulatory compliance 

Artificial intelligence has emerged as a transformative force in the rapidly evolving cybersecurity landscape, offering unprecedented real-risk assessment and management capabilities. AI-powered cybersecurity tools are now used by agencies seeking to navigate the complex terrain of cyber threats with agility and precision. These advanced systems provide continuous monitoring and real-time visibility, which is crucial for detecting and responding to cyber risks promptly.

The integration of AI in cybersecurity extends beyond mere threat detection; it encompasses automated remediation strategies that can swiftly address vulnerabilities across diverse and intricate hybrid, multi-cloud environments. This automation mainly benefits federal agencies, which must adhere to stringent standards and regulations such as the Federal Information Security Modernization Act (FISMA) and the Cybersecurity Maturity Model Certification (CMMC).

Moreover, AI’s role in cybersecurity is not limited to technical aspects alone. It also serves as a strategic asset in bridging the cyber talent gap within the federal sector. By leveraging AI’s data aggregation and interpretation capabilities, agencies can enhance their risk-based reporting, reducing the likelihood of human error and bias inherent in manual processes.

AI models learn from large data sets, enabling them to automate risk reporting and generate consistent, comprehensible documents that facilitate informed decision-making.

However, it is essential to recognize that AI is not a panacea but a critical component of a comprehensive risk assessment framework. It complements human expertise by providing a layer of intelligent analysis that can adapt to the dynamic nature of cyber threats.

As such, AI is a vital tool in the arsenal of cybersecurity professionals, empowering them to protect their organizations against an ever-changing array of digital dangers.

In conclusion, the GAO’s findings highlight that federal agencies must refine their cyber risk management practices and embrace emerging technologies like AI to fortify their defenses against cyber adversaries. Such efforts are critical for safeguarding national security and data privacy in an increasingly digital government.

Jonathan Trull is chief information security officer at Qualys.

The post Addressing GAO’s findings on national cyber risk management gaps first appeared on Federal News Network.

Leave a Reply

Your email address will not be published. Required fields are marked *