Skip to main content
close search
site logo
Dive Brief

It took 2 years for federal agencies to meet a 45-day cybersecurity directive

Published Feb. 6, 2020
Samantha Schwartz's headshot
Samantha Schwartz Reporter

Dive Brief:

  • From 2017 to Q2 2019, federal agencies decreased the number of vulnerable network infrastructure devices from 11,474 to zero, according to the Government Accountability Office's recent report on the state of federal cybersecurity. 
  • The network infrastructure directive was issued in September 2016 to address "urgent" flaws in network infrastructure devices. It was in response to flaws impacting firewalls, Cisco Adaptive Security Appliance and Cisco ROM Monitor Integrity. One of the directives included removing Kaspersky software from devices. 
  • The directive gave agencies 45 days to update the devices. Only half of the agencies had remediation in place within six months. GAO said it took two years for agencies to meet the directive because of complications in replacing end-of-life devices and changing default settings. 

Dive Insight:

DHS is struggling to keep pace with mitigations across federal agencies, while being responsible for protecting private entities in cybersecurity.

When the Federal Information Security Modernization Act (FISMA) went into effect in 2014, the DHS was ordered to oversee the implementation operational directives, according to GAO. 

The agency failed to coordinate with other agencies in the early stages of implementation. DHS also waited until one to two weeks before directives were issued to coordinate with the National Institute of Standards and Technology (NIST) and left out NIST's "technical comments." Both processes were required by FISMA. 

Now, the U.S. is up against a 42% increase in nation-state cyberattacks. Cyberattacks with ties to cyberwar or geopolitical conflict increased nearly 10% in 2019. 

Outdated systems and a lack of personnel are slowing government efforts in completing directives, said Vijay D'Souza, director of IT and cybersecurity issues at GAO, in an email to CIO Dive.

While GAO wants its recommendations to guide DHS and other agencies toward overcoming challenges, the watchdog is waiting for agency progress, said D'Souza. 

While DHS has made improvements recently, GAO found DHS to be unfavorably positioned to validate all the directives of agencies. DHS "lacks a risk-based approach as well as a strategy to check selected agency-reported actions to validate their completion," according to the report. 

Recommended Reading

Filed Under: Security

Editors' picks

Company Announcements

View all | Post a press release
Unanet Acquires GovPro AI to Enable Customers to Win More Business
From Unanet
November 22, 2024
New Research Reveals AI's Impact on IT's Power, Status, and Pay
From 1E
November 21, 2024
Newgen and Fadata Join Forces to Optimize Insurance Content Management
From Newgen Software
November 13, 2024
Legion Technologies Partners with Vail Resorts to Expand Workforce Management Across 37 Resort…
From Legion Technologies
November 19, 2024
Editors' picks
Latest in Security
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell