Federal agencies have not demonstrated that they are effectively responding to cybersecurity breaches or incidents, in part due to a lack of employee training on incident response roles, according to a new report by the Government Accountability Office.
GAO detailed its analysis of a statistical sample of cyber incidents reported by agencies in fiscal 2012. While many agencies identified the scope of an incident in most cases, they frequently failed to show the impact of an incident or their handling of it.
GAO examined six agencies selected at random – the Energy, Justice, Housing and Urban Development, Transportation and Veterans Affairs departments and NASA – to provide a statistical sample of agency cyber incident response preparedness. While all six agencies had developed parts of policies, plans and procedures to guide incident response practices, their efforts were not comprehensive or consistent with federal laws and requirements, GAO found.
Those shortfalls were due in part to a lack of consistent training for incident response personnel, according to the report. While Justice, Transportation and HUD maintained lists of incident response personnel and their dates and types of training, Energy and NASA only partially addressed training issues, and the VA has not addressed them at all. This could result in inefficient incident detection and analysis, as well as costly mistakes, the report stated.
“If staff do not receive training on their incident response roles, they may not have the knowledge or skills to ensure they are prepared to effectively respond to cyber incidents affecting their agency,” GAO said.
GAO recommended that the six agencies as well as all agencies responsible for cyber incident response establish clear requirements for training incident response personnel.