Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Audits

Majority of GAO’s Cybersecurity Recommendations Not Implemented by Federal Agencies

Out of the 335 public recommendations on a comprehensive cybersecurity strategy made since 2010, 190 were not implemented by federal agencies as of December 2022, GA says in a new report.

Out of the 335 public recommendations on a comprehensive cybersecurity strategy made since 2010, 190 were not implemented by federal agencies as of December 2022, the US Government Accountability Office (GAO) says in a new report.

Since 1997, the GAO has been regarding information security as a government-wide high-risk area and expanded it twice since: in 2003 to include critical cyber infrastructure and in 2015 to include the protection of personally identifiable information.

During this time, GAO performed assessments of the risks associated with the information technology systems of federal agencies and critical infrastructure (such as communications, energy, financial services, and transportation organizations) and recommended actions to improve their cybersecurity risks.

“Until these are fully implemented, federal agencies will be more limited in their ability to protect private and sensitive data entrusted to them,” GAO notes.

GAO has now published the first in a series of four reports that bring into focus cybersecurity areas that need to be urgently addressed, starting with the need for a comprehensive cybersecurity strategy.

The White House and the National Security Council (NSC) issued a National Cyber Strategy and an Implementation Plan in 2018 and 2019, respectively, but GAO reported in 2020 that these do not address all desirable characteristics of national strategies (only three out of six characteristics were included).

While an Office of the National Cyber Director position was established and filled in 2021, a comprehensive national strategy has yet to be fully developed and implemented.

“We recommended that the National Security Council work with relevant federal entities to update cybersecurity strategy documents to include goals, performance measures, and resource information, among other things,” GAO notes.

Advertisement. Scroll to continue reading.

Another area that the GAO has been looking into is federal agencies’ supply chain risk management practices. In 2020, out of 23 agencies reviewed, none had fully implemented all the seven foundational practices in the area and 14 had implemented none of these practices.

Despite that, agencies heavily rely on information and communications technology (ICT) products and services to conduct operations.

According to GAO, “implementing foundational practices for ICT supply chain risk management is essential to agencies addressing the risks of malicious actors disrupting mission operations, stealing intellectual property, or harming individuals.”

GAO’s new report also underlines the need for the Office of the National Cyber Director to address continuing cybersecurity workforce challenges, for federal agencies to improve the security of internet-connected devices – including Internet of Things (IoT) and operational technology (OT) devices – and for the federal government to address the risks associated with quantum computing and artificial intelligence (AI) technologies.

Related: US Offshore Oil and Gas Infrastructure at Significant Risk of Cyberattacks

Related: Over 12,000 Cyber Incidents at DoD Since 2015, But Incident Management Still Lacking

Related: U.S. Department of State Approves New Cyberspace Security Bureau

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Artificial Intelligence

ChatGPT is increasingly integrated into cybersecurity products and services as the industry is testing its capabilities and limitations.

Compliance

The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Compliance

Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Artificial Intelligence

Microsoft and Mitre release Arsenal plugin to help cybersecurity professionals emulate attacks on machine learning (ML) systems.