Cybersecurity Remains a High-Risk Area for Federal Agencies

In a report released last month, Urgent Actions Are Needed to Address Cybersecurity Challenges Facing the Nation, the Government Accountability Office (GAO) identified four major cybersecurity categories of challenges containing 10 critical actions that the federal government and other entities need to take to address them. (See graphic below.)

Many Federal Agency Information Security Programs Fall Short

Of the four major cyber- challenge categories and critical actions one particular aspect stood out to me under the category of securing federal systems and information, and specifically under GAO’s critical action “Address Weaknesses in Federal Agency Information Security Programs” (action number 6).

GAO found that “federal agencies continued to experience weaknesses in protecting their information and information systems due to ineffective implementation of information security policies and practices.” Federal agencies are required by the Federal Information Security Modernization Act (FISMA) to develop, document, implement and evaluate an information security program and Executive Order 13800, Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, states that agency heads will be held accountable for managing cybersecurity risk to their enterprises. But many departments and agencies are falling short.

Recommended Improvements Still Not Implemented

A year ago, GAO reported that most of the 24 major Executive Branch departments and agencies had weaknesses in each of the five major categories of information system controls (i.e., access controls, configuration management controls, segregation of duties, contingency planning, and agency-wide security management.) All 24 had weaknesses in access control and security management and the number of agencies that had weaknesses in the other three categories ranged from 21-23, i.e. the vast majority.

Throughout 2016 and 2017, GAO made 47 specific recommendations to a wide range of agencies – the National Aeronautics and Space Administration (NASA), Nuclear Regulatory Commission (NRC), the Office of Personnel Management (OPM), the Department of Veterans Affairs (VA), the Internal Revenue Service (IRS) , the Federal Deposit Insurance Corporation (FDIC), the Food and Drug Administration (FDA) and the Security Exchange Commission (SEC) – on ways each could improve its information security program and posture. Agency agreement with the recommendations was mixed and implementation was even less. As of August 2018, GAO reported that only 19 of the 47 recommendations had been implemented. Further, among five of the larger organizations – IRS, NASA, NRC, OPM and VA – only 3 of the 29 related recommendations had been implemented. (IRS has implemented none of its 10 recommendations.)

Conclusion

Over the last few years, GAO has made over 3,000 recommendations to agencies aimed at addressing cybersecurity shortcomings in each of the 10 action areas and to date GAO reports that about 1,000 have not yet been implemented, making federal agencies' information and systems susceptible to an increasing multitude of cyber-related threats. It is no surprise then that the GAO continues to designate information security as a government-wide high-risk area due to increasing cyber-based threats and the persistent nature of security vulnerabilities.