GAO High-Risk List Flags Major Challenges in Federal Cybersecurity

Even though the broad category of U.S. cybersecurity has spent more than ten years on the Government Accountability Office’s (GAO) High-Risk List, it appears there’s still plenty of work to be done in improving cyber defense, according to GAO’s update to the list issued earlier this week. While government agencies have made some important strides, according to the report, there are major cyber challenges cited that still need to be met.

“Federal agencies and other entities need to take urgent actions to implement a comprehensive cybersecurity strategy, perform effective oversight, secure Federal systems, and protect cyber critical infrastructure, privacy, and sensitive data,” the report says.

The GAO cites four major challenges to be addressed in establishing better cybersecurity:

  • Establishing a comprehensive cybersecurity strategy and performing effective oversight;
  • Securing Federal systems and information;
  • Protecting cyber critical infrastructure; and
  • Protecting privacy and sensitive data.

To attain success in these four major areas, the GAO identified 10 specific critical actions needed including “developing and executing a more comprehensive Federal strategy for national cybersecurity and global cyberspace, addressing cybersecurity workforce management challenges, and strengthening the Federal role in protecting the cybersecurity of critical infrastructure.”

Information security has been designated as a government-wide high-risk area since 1997 and in 2003, it was expanded to include cyber-critical infrastructure.

Since 2010, the GAO has made over 3,000 recommendations to address cybersecurity shortcomings, per the report. Of those 3,000 recommendations, 448 were made since the last high-risk report in 2017–an indication of the growing importance of cyber risks and tech fixes that can address them.  Despite significant strides in addressing these recommendations, about 700 of them have not yet been met, GAO said.

Recent