GAO Provides Ten Critical Cyber Actions to Agencies, Says 1,000 Recs Remain Unfulfilled

The Government Accountability Office (GAO) released an interim report today detailing four major challenges and 10 critical actions that it says must be taken in order to stem the growing tide of cybersecurity threats facing the nation and Federal agencies.

GAO’s report was provided as the testimony of Comptroller General Gene Dodaro at today’s House Oversight and Government Reform Committee hearing on cybersecurity. The report highlights the vital nature of Federal IT systems, which are used to carry out the operations of the nation’s critical infrastructure, and is the culmination of thousands of recommendations GAO has made on cybersecurity since 2010. The report provides an update on the information security area first identified as “high-risk” by GAO in 1997.

The four main challenges and their component critical actions are summarized below.

Cyber Strategy

The first major challenge identified by GAO is “establishing a comprehensive cybersecurity strategy and performing effective oversight.”

GAO lists four critical actions to address the challenge:

  • Develop and execute a more comprehensive Federal strategy for national cybersecurity and global cyberspace;
  • Mitigate global supply chain risks (e.g., installation of malicious software or hardware);
  • Address cybersecurity workforce management challenges; and
  • Ensure the security of emerging technologies (e.g., artificial intelligence and Internet of Things).

Securing Federal Systems

The second major challenge involves “securing Federal systems and information,” GAO said. The actions needed to address the challenge call upon government to:

  • Improve implementation of government-wide cybersecurity initiatives;
  • Address weaknesses in Federal agency information security programs; and
  • Enhance the Federal response to cyber incidents;

Protecting Cyber Critical Infrastructure

The third major challenge involves “protecting cyber critical infrastructure.” GAO noted that in order to do that, the Federal government must take action to “strengthen the Federal role in protecting the cybersecurity of critical infrastructure (e.g., electricity grid and telecommunications networks).”

Accomplishing that will no doubt require collaboration between private sector critical infrastructure providers, sector-specific agencies, the Department of Energy, and the Department of Homeland Security, GAO indicated. The report also notes that adoption the National Institute of Standards and Technology’s Cybersecurity Framework can aid in addressing pressing security issues, but says implementation of the framework alone does not go far enough.

Protecting Privacy and Sensitive Data

The fourth major challenge GAO flagged is “protecting privacy and sensitive data,” which it says government can tackle by:

  • Improving Federal efforts to protect privacy and sensitive data; and
  • Appropriately limiting the collection and use of personal information and ensuring such data is obtained with appropriate knowledge or consent;

This area of focus is relatively new for Federal agencies. Whereas information security broadly was first designated as a government-wide high-risk area in 1997, and cyber critical infrastructure in 2003, the inclusion of privacy protections for personally identifiable information was only designated in 2015.

GAO notes that, in total, it “has made over 3,000 recommendations to agencies since 2010 aimed at addressing cybersecurity shortcomings,” but that “as of July 2018, about 1,000 still needed to be implemented.”

Recent