Federal Cybersecurity Risk Determination Report and Action Plan

Citation
Office of Management and Budget, Federal Cybersecurity Risk Determination Report and Action Plan (May 2018) (full-text).

Overview
The OMB published this Risk Report in accordance with Presidential Executive Order 13800, Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure and OMB Memorandum M-17-25, Reporting Guidance for Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure. This Risk Report comprises the determination report and action plan required by Executive Order 13800, and is accordingly comprised of the following sections:


 * Executive Summary: Understanding Cyber Risks. This section provides an overview of the findings and determinations discussed in this Risk Report and discusses four planned actions that OMB considers essential to effectively addressing systemic cybersecurity risk management challenges across the Government.
 * Risk Assessment Scope and Methodology. This section describes OMB's methodology for assessing agencies' cybersecurityprograms and preparing this Risk Report in coordination with the Department of Homeland Security (DHS).
 * Findings. This section provides OMB's evaluation of 96 agency risk management assessment (risk assessment) reports, and describes planned actions that OMB and agencies will take to address government-wide cybersecurity gaps and identify unmet budgetary needs.

This Risk Report presents a high-level assessment of government cybersecurity risks, identifies actions to improve Federal cybersecurity, and acknowledges that OMB and the agencies must work together over the coming months to identify how to implement those actions. Together, these sections comprise the determination report and action plan required by Executive Order 13800.

The Risk Report does not cover every risk identified in the agency risk assessments. Two of the most significant areas of risk that were identified in agency assessments were the abundance of legacy information technology (IT), which is difficult and expensive to protect, as well as shortages of experienced and capable cybersecurity personnel.

Executive Order 13800 also requires the American Technology Council to produce an Information Technology Modernization Report to the President and for the Department of Commerce and DHS to produce a National Cybersecurity Workforce Report to the President, which will discuss these significant risks in greater breadth and scope. The Risk Report acknowledges these challenges and, in some instances, reinforces those reports. For instance, the Risk Report recognizes the detrimental impacts that limited personnel resources have on agencies' ability to manage their cybersecurity risks. It also examines the risks associated with several of the IT modernization challenges, namely decentralized security operations centers (SOCs) and the lack of standardized IT capabilities.