Only 3 agencies have hit deadline for cyber event logging standards, GAO finds | FedScoop<\/title> <meta name=\"description\" content=\"Just three of the 23 civilian Chief Financial Officer Act agencies have met the cyber event logging standards called out in President Joe Biden\u2019s 2021 cybersecurity executive order and a subsequent Office of Management and Budget memo, a new Government Accountability Office report found.\"> <link rel=\"canonical\" href=\"https:\/\/fedscoop.com\/only-3-agencies-have-hit-deadline-for-cyber-event-logging-standards-gao-finds\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"Only 3 agencies have hit deadline for cyber event logging standards, GAO finds\"> <meta property=\"og:description\" content=\"The Department of Agriculture, the National Science Foundation and the Small Business Administration are the only CFO Act agencies that met OMB\u2019s August 2023 timeline for the implementation of enhanced logging requirements.\"> <meta property=\"og:url\" content=\"https:\/\/fedscoop.com\/only-3-agencies-have-hit-deadline-for-cyber-event-logging-standards-gao-finds\/\"> <meta property=\"og:site_name\" content=\"FedScoop\"> <meta property=\"article:published_time\" content=\"2023-12-07T18:33:56+00:00\"> <meta property=\"article:modified_time\" content=\"2023-12-08T16:20:27+00:00\"> <meta name=\"author\" content=\"mbracken\"> <meta name=\"twitter:card\" content=\"summary_large_image\"> <meta name=\"twitter:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/12\/only-3-agencies-have-hit-deadline-for-cyber-event-logging-standards-gao-finds-1.jpg\">  <link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"FedScoop \u00bb Feed\" href=\"https:\/\/fedscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"FedScoop \u00bb Comments Feed\" href=\"https:\/\/fedscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-2\" href=\"https:\/\/fedscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1701905043g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/fedscoop.com\/wp-content\/mu-plugins\/search\/elasticpress-next\/dist\/css\/related-posts-block-styles.min.css?m=1698686983g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-8\" href=\"https:\/\/fedscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1701899484g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=7dab012cdc88b5676610\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/fedscoop.com\/wp-json\/\"><link rel=\"alternate\" type=\"application\/json\" href=\"https:\/\/fedscoop.com\/wp-json\/wp\/v2\/posts\/75163\"><link rel=\"EditURI\" type=\"application\/rsd+xml\" title=\"RSD\" href=\"https:\/\/fedscoop.com\/xmlrpc.php?rsd\">\n<meta name=\"generator\" content=\"WordPress 6.4.2\">\n<link rel=\"shortlink\" href=\"https:\/\/fedscoop.com\/?p=75163\">\n<link rel=\"alternate\" type=\"application\/json+oembed\" href=\"https:\/\/fedscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Ffedscoop.com%2Fonly-3-agencies-have-hit-deadline-for-cyber-event-logging-standards-gao-finds%2F\">\n<link rel=\"alternate\" type=\"text\/xml+oembed\" href=\"https:\/\/fedscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Ffedscoop.com%2Fonly-3-agencies-have-hit-deadline-for-cyber-event-logging-standards-gao-finds%2F&format=xml\">   <link rel=\"icon\" href=\"https:\/\/fedscoop.com\/wp-content\/uploads\/sites\/5\/2023\/01\/cropped-fs_favicon-3.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/fedscoop.com\/wp-content\/uploads\/sites\/5\/2023\/01\/cropped-fs_favicon-3.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/fedscoop.com\/wp-content\/uploads\/sites\/5\/2023\/01\/cropped-fs_favicon-3.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/fedscoop.com\/wp-content\/uploads\/sites\/5\/2023\/01\/cropped-fs_favicon-3.png?w=270\"> <\/head><body class=\"post-template-default single single-post postid-75163 single-format-standard\" id=\"readabilityBody\"> <a href=\"https:\/\/fedscoop.com\/only-3-agencies-have-hit-deadline-for-cyber-event-logging-standards-gao-finds\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--newsletter js-stickybar\" readability=\"0.82\"> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"26.194134078212\">\n<div class=\"single-article__header-content\" readability=\"33.265306122449\">\n<p> The Department of Agriculture, the National Science Foundation and the Small Business Administration are the only CFO Act agencies that met OMB\u2019s August 2023 timeline for the implementation of enhanced logging requirements. <\/p>\n<\/p><\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" loading=\"lazy\" width=\"640\" height=\"360\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2023\/12\/only-3-agencies-have-hit-deadline-for-cyber-event-logging-standards-gao-finds.jpg?resize=640%2C360&ssl=1\" class=\"single-article__cover-image wp-post-image\" alt decoding=\"async\" loading=\"lazy\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/12\/only-3-agencies-have-hit-deadline-for-cyber-event-logging-standards-gao-finds-1.jpg 9431w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/12\/only-3-agencies-have-hit-deadline-for-cyber-event-logging-standards-gao-finds-1.jpg?resize=300,168 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/12\/only-3-agencies-have-hit-deadline-for-cyber-event-logging-standards-gao-finds-1.jpg?resize=768,432 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/12\/only-3-agencies-have-hit-deadline-for-cyber-event-logging-standards-gao-finds-1.jpg?resize=1024,576 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/12\/only-3-agencies-have-hit-deadline-for-cyber-event-logging-standards-gao-finds-1.jpg?resize=1536,863 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/12\/only-3-agencies-have-hit-deadline-for-cyber-event-logging-standards-gao-finds-1.jpg?resize=2048,1151 2048w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/12\/only-3-agencies-have-hit-deadline-for-cyber-event-logging-standards-gao-finds-1.jpg?resize=600,337 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/12\/only-3-agencies-have-hit-deadline-for-cyber-event-logging-standards-gao-finds-1.jpg?resize=1200,675 1200w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/12\/only-3-agencies-have-hit-deadline-for-cyber-event-logging-standards-gao-finds-1.jpg?resize=1500,843 1500w\" sizes=\"auto, (max-width: 1200px) 100vw, 1200px\"><figcaption> (Getty Images) <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"43.726111636708\"><body readability=\"89.996574504527\"><\/p>\n<p>Just three of the 23 civilian Chief Financial Officer Act agencies have met the cyber event logging standards called out in President Joe Biden\u2019s <a href=\"https:\/\/www.whitehouse.gov\/briefing-room\/presidential-actions\/2021\/05\/12\/executive-order-on-improving-the-nations-cybersecurity\/\">2021 cybersecurity executive order<\/a> and a subsequent Office of Management and Budget memo, a new Government Accountability Office <a href=\"https:\/\/www.gao.gov\/assets\/d24105658.pdf\">report<\/a> found.<\/p>\n<p>The Department of Agriculture, the National Science Foundation and the Small Business Administration all hit OMB\u2019s August 2023 deadline to reach advanced (tier 3) status for logging, meaning the agencies are fully compliant with requirements for implementation, centralized access and log categories.<\/p>\n<p>Agriculture and SBA officials told GAO that they were able to meet the logging due date thanks to internal efforts that preceded OMB\u2019s August 2021 memo. An NSF official, meanwhile, credited \u201cclose coordination and enhanced licensing with its security incident and event management provider\u201d for its timely compliance.<\/p>\n<p>While Agriculture, NSF and SBA are outliers, the GAO report noted that all CFO Act agencies have made progress on the incident response requirements. Still, it\u2019s critical that the 20 agencies that haven\u2019t yet reached advanced levels do so quickly, the report emphasizes.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>\u201cUntil the agencies implement all event logging requirements, the federal government\u2019s ability to fully detect, investigate, and remediate cyber threats will be constrained,\u201d the GAO report stated.<\/p>\n<p>As of August 2023, the GAO reported that none of the remaining agencies were at intermediate (tier 2) levels on logging, while three \u2014 the General Services Administration, the Social Security Administration and USAID \u2014 had achieved basic (tier 1) status. USAID said in an email to FedScoop that it has since reached intermediate status, and told the GAO that it should be fully compliant by the end of this year. One unnamed agency is on the same timeline as USAID, while another said it would complete its requirements sometime in fiscal 2024.<\/p>\n<p>Of the remaining 17 agencies in the not effective (0) logging tier, seven said they would reach advanced logging status within the fiscal 2024-2026 timeframe, and 10 did not share an updated timeline for completing the requirements.<\/p>\n<p>GAO reported three primary impediments cited by agencies who have so far fallen short of the ability to \u201cfully prepare to respond to cybersecurity incidents\u201d: lack of staff, event logging technical challenges and limitations in cyber threat information sharing.<\/p>\n<p>\u201cFederal entities have ongoing efforts that can assist in addressing these challenges,\u201d the GAO report said. \u201cThese efforts include onsite cyber incident response assistance from [the Cybersecurity and Infrastructure Security Agency], event logging workshops and guidance, and enhancements to a cyber threat information sharing platform.\u201d<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>Federal IT officials have also cited a lack of funding as a barrier to fully meeting logging benchmarks. Paul Blahusch, the Department of Labor\u2019s chief information security officer, said during Scoop News Group\u2019s CyberTalks event last month that addressing enhanced logging standards had been challenging due to the fact that it was \u201c<a href=\"https:\/\/fedscoop.com\/labor-department-ciso-somewhat-disappointed-by-lack-of-appropriations-to-fund-cyber-modernization-efforts\/\">potentially going to cost us quite a bit of money<\/a>\u201d and the agency hadn\u2019t received any additional appropriations for the work. <\/p>\n<p>GAO noted two long-term efforts tied to the logging issue that should be rolled out in fiscal 2024: the implementation of the National Workforce and Education Strategy and a new threat intelligence platform from CISA. <\/p>\n<p>The watchdog also delivered 20 recommendations to 19 agencies, 16 of which agreed with the new instructions.<\/p>\n<p>\u201cUntil agencies implement all event logging requirements outlined in OMB guidance, there is increased risk that they will not have complete information on their efforts to detect, investigate, and remediate cyber threats,\u201d GAO said. \u201cMoreover, the federal government as a whole may lack critical information and insights for identifying potentially significant cyber threats.\u201d<\/p>\n<p><em>This story was updated Dec. 8 with new information on USAID\u2019s logging progress.<\/em><\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\">\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<div class=\"popular-stories popular-stories--single-post\">\n<div class=\"popular-stories__container\">\n<h2 class=\"popular-stories__title\"> More Scoops <\/h2>\n<p>  <\/div>\n<p>\n<\/div>\n<p> <\/p>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Acquisition<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to FedScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p>   <\/body> <a href=\"https:\/\/fedscoop.com\/only-3-agencies-have-hit-deadline-for-cyber-event-logging-standards-gao-finds\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Only 3 agencies have hit deadline for cyber event logging<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[78,452,1290,1291,1292,1293,522,1294,1295],"tags":[86,454,1296,1297,1298,1299,525,1300,1301],"class_list":["post-2166","post","type-post","status-publish","format-standard","hentry","category-cybersecurity","category-cybersecurity-and-infrastructure-security-agency-cisa","category-department-of-agriculture-usda","category-enhanced-logging","category-gao","category-nsf","category-omb","category-sba","category-usaid","tag-cybersecurity","tag-cybersecurity-and-infrastructure-security-agency-cisa","tag-department-of-agriculture-usda","tag-enhanced-logging","tag-gao","tag-nsf","tag-omb","tag-sba","tag-usaid"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybersecurity\/\" rel=\"category tag\">Cybersecurity<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybersecurity-and-infrastructure-security-agency-cisa\/\" rel=\"category tag\">Cybersecurity and Infrastructure Security Agency (CISA)<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/department-of-agriculture-usda\/\" rel=\"category tag\">Department of Agriculture (USDA)<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/enhanced-logging\/\" rel=\"category tag\">enhanced logging<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/gao\/\" rel=\"category tag\">GAO<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/nsf\/\" rel=\"category tag\">NSF<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/omb\/\" rel=\"category tag\">OMB<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/sba\/\" rel=\"category tag\">SBA<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/usaid\/\" rel=\"category tag\">USAID<\/a>","tag_info":"USAID","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/2166","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=2166"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/2166\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=2166"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=2166"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=2166"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":2166,"date":"2023-12-07T18:39:43","date_gmt":"2023-12-07T18:39:43","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=78485"},"modified":"2023-12-07T18:39:43","modified_gmt":"2023-12-07T18:39:43","slug":"only-3-agencies-have-hit-deadline-for-cyber-event-logging-standards-gao-finds","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2023\/12\/07\/only-3-agencies-have-hit-deadline-for-cyber-event-logging-standards-gao-finds\/","title":{"rendered":"Only 3 agencies have hit deadline for cyber event logging standards, GAO finds"},"content":{"rendered":"