Federal agencies and the nation’s critical infrastructure — such as energy, transportation systems, communications, and financial services — all depend on information technology systems to carry out key operations. The security of these systems and the data they use is vital to public confidence, national security, prosperity, and well-being of government agencies.
With the rise of new and sophisticated risks, GAO designated information security as a government-wide high-risk area in 1997. GAO identified the actions the federal government and other entities need to take to address cybersecurity challenges. GAO primarily reviewed prior work issued since the start of fiscal year 2016 related to privacy, critical federal functions, and cybersecurity incidents, among other areas. GAO also reviewed recent cybersecurity policy and strategy documents, as well as information security industry reports of recent cyberattacks and security breaches.
In a recent report, GAO has identified four major cybersecurity challenges and 10 critical actions that the federal government and other entities need to take to address them.
GAO has made more than 3,000 recommendations to agencies since 2010 aimed at addressing cybersecurity shortcomings. As of July 2018, about 1,000 still needed to be implemented.