The Government Accountability Office (GAO) says most of its recommendations to improve federal cybersecurity have not been implemented.
GAO has made about 335 recommendations in public reports since 2010 with respect to establishing a comprehensive cybersecurity strategy and performing oversight. As of December 2022, GAO found that approximately 60% of those recommendations have not been implemented. For example, in December 2020, GAO’s review of 23 civilian agencies found that none had fully implemented all of the seven foundational practices for supply chain risk management and that 14 had not implemented any of the practices.
Until the recommendations are fully acted upon, the government watchdog says federal agencies will be more limited in their ability to protect private and sensitive data entrusted to them.
In order to address the gaps that remain, GAO wants the U.S. government to establish a comprehensive cybersecurity strategy; mitigate global supply chain risks; address the federal cybersecurity worker shortage; and ensure the security of emerging technologies.
As a major step forward, in June 2021, the Senate confirmed the first National Cyber Director to head the Office of the National Cyber Director (ONCD) and serve as the principal advisor to the President on cybersecurity policy and strategy. GAO recommended that the National Security Council work with relevant federal entities to update cybersecurity strategy documents to include goals, performance measures, and resource information, among other things. As of August 2022, according to ONCD, the development of a national cybersecurity strategy by the administration is underway.
GAO has previously made several recommendations aimed at addressing continuing cybersecurity workforce challenges, including developing a government-wide workforce plan and related supporting practices. Government-wide leadership responsibility for cyber workforce issues transitioned in 2022 from the Office of Management and Budget and the Department of Homeland Security to ONCD. The office says the national strategy currently under development will address these key issues.
A White House statement last year noted that the United States faces a significant shortfall in cyber talent, with estimates of approximately 700,000 open positions. To help close this gap, ONCD issued a Request for Information (RFI) in October 2022 to enable a wide range of diverse stakeholders to provide input that will inform the development of the new national strategy “to advance progress in cyber training, education, or workforce development”.
On January 19, ONCD officials agreed that they would continue to engage the broader cybersecurity research community in the development and implementation of cybersecurity policy. Private sector participants noted their openness to working with government entities to address the pernicious cybersecurity challenges facing the nation today.
GAO will issue a further three reports which lay out the main cybersecurity areas the federal government should urgently address.
