Chairwoman Maloney Issues Statement on GAO Audit of Federal Agency Response to SolarWinds and Microsoft Exchange Hacks

Jan 13, 2022
Press Release

Washington, D.C. (January 13, 2022)—Today, Rep. Carolyn B. Maloney, Chairwoman of the Committee on Oversight and Reform, released the following statement following the issuance of the Government Accountability Office’s audit of the federal response to the SolarWinds and Microsoft Exchange incidents:


“More than a year after the discovery of the devastating SolarWinds attack, in which the Russian government was able to gain network access to nine federal agencies, it’s clear that there are still significant gaps in the federal government’s ability to respond to advanced cyberattacks.  It’s troubling that the federal government was still working to remove cyberattackers from agencies’ networks six months after the attack was discovered, and I am alarmed to hear that cyberattackers may still have as-yet-undiscovered access to federal networks.”


“The federal government continues to be a top target for nation-state adversaries, and the report released today underscores the urgent need for Congress to update and strengthen the Federal Information Security Management Act, or FISMA.  Ranking Member Comer and I have released discussion draft legislation to do just that.  I look forward to working with my colleagues on this bipartisan legislation to meet the challenges of the cyber landscape.”


Highlights from GAO’s new report:


  • “Even though CISA’s efforts to work with agencies have provided a degree of confidence that the threat actor is no longer present, the threat actor may have established undiscovered persistent access within affected agencies and private companies’ networks.” (p. 22)


  • “Six agencies stated that they were unable to generate and maintain enough telemetry information to effectively determine what actions had occurred on their networks.” (p. 33)


  • “In June 2021, CISA reported that there were still response actions to be completed per Emergency Directive 21-01 for several agencies.  Specifically, for SolarWinds, CISA was still engaging with agencies that had evidence of follow-on threat actor activity to assist with implementing CISA’s supplemental direction for removing the threat actor.” (pp. 34-35)


  • “Federal agencies identified several practices that officials believe led to benefits or desirable outcomes in the coordination and response to the SolarWinds and Microsoft Exchange incidents.  Specifically, three UCG agency officials stated that coordinating with the private sector led to greater efficiencies in their incident response efforts.” (p. 39)


  • “Federal agencies also identified practices related to information sharing and evidence collection that led to challenges or undesirable outcomes in coordinating and responding to the SolarWinds and Microsoft Exchange incidents.  For example, officials from two UCG agencies stated that sharing information among agencies and private sector partners was a challenge and a slow process due to restrictions on sharing information.” (pp. 39-40)


  • “According to agency officials, there were significant gaps in agencies’ log data due to differences in how much data is retained and for how long, noting that while some agencies held log data for 90 or 180 days, others maintained no log data.” (p. 40)




117th Congress