Once a year, the FBI goes through a process to establish its most severe and substantial threats. This process, known as "Threat Review and Prioritization" ("TRP"} is intended to direct the allocation of resources to address the highest rated threats. This audit examined how the FBI prioritized cyber threats from FY 2014 through FY 2016. While the FBI's efforts to prioritize threats across the enterprise is a vital step in the mitigation process, we believe that TRP's subjective terminology is a substantial weakness in the FBI's efforts at prioritizing cyber threats.
Because the criteria used in the TRP process are subjective and open to interpretation, we determined that the FBI's TRP process does not prioritize cyber threats in an objective, data-driven, reproducible, and auditable manner. We believe that the FBI Cyber Division's threat prioritization process should use an algorithmic, objective, and data-driven methodology; and should produce auditable rankings. Furthermore, we believe that because the TRP is a subjective process, cyber threats that require the greatest resources may not receive the highest priority. In addition, because TRP is conducted annually, we found that TRP may not be agile enough to identify emerging cyber threats in a timely manner.