- From 2017 to Q2 2019, federal agencies decreased the number of vulnerable network infrastructure devices from 11,474 to zero, according to the Government Accountability Office's recent report on the state of federal cybersecurity.
- The network infrastructure directive was issued in September 2016 to address "urgent" flaws in network infrastructure devices. It was in response to flaws impacting firewalls, Cisco Adaptive Security Appliance and Cisco ROM Monitor Integrity. One of the directives included removing Kaspersky software from devices.
- The directive gave agencies 45 days to update the devices. Only half of the agencies had remediation in place within six months. GAO said it took two years for agencies to meet the directive because of complications in replacing end-of-life devices and changing default settings.
DHS is struggling to keep pace with mitigations across federal agencies, while being responsible for protecting private entities in cybersecurity.
When the Federal Information Security Modernization Act (FISMA) went into effect in 2014, the DHS was ordered to oversee the implementation operational directives, according to GAO.
The agency failed to coordinate with other agencies in the early stages of implementation. DHS also waited until one to two weeks before directives were issued to coordinate with the National Institute of Standards and Technology (NIST) and left out NIST's "technical comments." Both processes were required by FISMA.
Now, the U.S. is up against a 42% increase in nation-state cyberattacks. Cyberattacks with ties to cyberwar or geopolitical conflict increased nearly 10% in 2019.
Outdated systems and a lack of personnel are slowing government efforts in completing directives, said Vijay D'Souza, director of IT and cybersecurity issues at GAO, in an email to CIO Dive.
While GAO wants its recommendations to guide DHS and other agencies toward overcoming challenges, the watchdog is waiting for agency progress, said D'Souza.
While DHS has made improvements recently, GAO found DHS to be unfavorably positioned to validate all the directives of agencies. DHS "lacks a risk-based approach as well as a strategy to check selected agency-reported actions to validate their completion," according to the report.