The Government Accountability Office has reviewed 23 agencies for cybersecurity risk management. Key practices for establishing an agency-wide cybersecurity risk management program include designating a cybersecurity risk executive, developing a risk management strategy and policies to facilitate risk-based decisions, assessing cyber risks to the agency, and establishing coordination with the agency’s enterprise risk management (ERM) program.
Although the 23 agencies GAO reviewed almost always designated a risk executive, they often did not fully incorporate other key practices in their programs. In summary, GAO found:
- Twenty-two agencies established the role of cybersecurity risk executive, to provide agency-wide management and oversight of risk management.
- Sixteen agencies have not fully established a cybersecurity risk management strategy to delineate the boundaries for risk-based decisions.
- Seventeen agencies have not fully established agency- and system-level policies for assessing, responding to, and monitoring risk.
- Eleven agencies have not fully established a process for assessing agency-wide cybersecurity risks based on an aggregation of system-level risks.
- Thirteen agencies have not fully established a process for coordinating between their cybersecurity and ERM programs for managing all major risks.
GAO says the agencies will face an increased risk of cyber-based incidents that threaten national security and personal privacy until they address these concerns.
Agencies identified multiple challenges in establishing and implementing cybersecurity risk management programs. Most commonly cited were challenges related to hiring and retaining qualified personnel, competing priorities between cybersecurity and agency mission or operations, and establishing and implementing consistent cybersecurity risk management policies and procedures.
Several initiatives are underway that should help address four of the challenges identified by agencies—hiring and retention, standardizing capabilities, receiving quality risk data, and using guidance. However, initiatives have not been established to address the other challenges on managing conflicting priorities, implementing consistent policies, developing risk management strategies, and incorporating cyber risks into ERM.
GAO is making a raft of recommendations in an effort to improve agency cybersecurity risk management. 17 of the 23 agencies agreed with the recommendations.