Most agencies are not applying the infosec program requirements of the Federal Information Security Management Act (FISMA) to help combat the new cyber threats, including performing risk assessments and providing security awareness training, GAO analysts said in their report.
Also, while agencies are required to report incidents to a central federal agency, they are not consistently reporting incidents of phishing and spyware, according to GAO, which also included spam in its list of emerging threats. But agencies have not received guidance on what incidents to report or how to report them, analysts noted.
"Without effective coordination, the federal government is limited in its ability to identify and respond to emerging cybersecurity threats, including sophisticated and coordinated attacks that target multiple federal entities," the GAO report stated.
GAO recommended that the Office of Management and Budget ensure agencies are addressing the new threats in their infosec programs, and also advised OMB to coordinate with the Department of Homeland Security on developing guidelines for addressing and reporting incidents of emerging threats.
OMB officials generally agreed with the recommendations and said that it is developing incident reporting guidance with DHS's US-CERT.
Earlier this year SC reported the Department of Homeland Security still has a lot of work to do in order to meet its cybersecurity duties, according to a report by the Government Accountability Office.