In its second of four reports on federal cybersecurity, the Government Accountability Office (GAO) said federal agencies could better secure systems and information. The report provides an overview of earlier findings and recommendations, many of which remain outstanding.
GAO has made over 700 recommendations in public reports since 2010 with respect to securing federal systems and information. Around 20% of these are yet to be implemented. Until these are fully implemented, the government watchdog said federal agencies will be more limited in their ability to protect private and sensitive data entrusted to them.
Federal law assigned five key cybersecurity responsibilities to the Cybersecurity and Infrastructure Security Agency (CISA), including securing federal information and systems, and coordinating federal efforts to secure and protect against critical infrastructure risk. To implement these responsibilities, CISA undertook an organizational transformation initiative aimed at unifying the agency, improving mission effectiveness, and enhancing the workplace experience. In March 2021, GAO reported that CISA had only completed 37 of 94 planned implementation tasks. Critical transformation tasks such as finalizing the mission-essential functions of CISA’s divisions and defining incident management roles and responsibilities across the agency had not yet been completed.
To protect federal information and systems, the Federal Information Security Modernization Act of 2014 (FISMA) requires federal agencies to develop, document, and implement information security programs. Congress included a provision in FISMA for GAO to periodically report on agencies’ implementation of the act. In March 2022, GAO reported on the information security programs of 23 federal civilian agencies, including annually required program reviews to be conducted by agency inspectors general (IG). Among other things, GAO noted that IGs determined that 16 (or 70 percent) of the 23 agencies had ineffective programs for fiscal year 2020.
GAO found that Office of Management and Budget (OMB) guidance to IGs on conducting agency evaluations was not always clear, leading to inconsistent application and reporting by IGs. Further, GAO reported that the binary effective/not effective scale resulted in imprecise ratings that did not clearly distinguish among the differing levels of agencies’ performance. By clarifying its guidance and enhancing its rating scale, GAO believes OMB could help ensure a more consistent approach and nuanced picture of agencies’ cybersecurity programs.
The Defense Department (DOD) and the U.S. defense industrial base (DIB) are dependent on information systems to carry out their operations. These systems continue to be the target of cyber attacks, as demonstrated by over 12,000 cyber incidents DOD has experienced since 2015. In November 2022, GAO reported DOD has taken steps to combat these attacks and the number of cyber incidents had declined in recent years. However, the review found that the department (1) had not fully implemented its processes for managing cyber incidents, (2) did not have complete data on cyber incidents that staff report, and (3) did not document whether it notifies individuals whose personal data is compromised in a cyber incident.
In addition, according to officials, DOD has not yet decided whether DIB cyber incidents detected by cybersecurity service providers should be shared with all relevant stakeholders.