Ensuring the Security of Federal Information Systems and Cyber Critical Infrastructure and Protecting the Privacy of Personally Identifiable Information
Federal agencies and our nation’s critical infrastructures—such as energy, transportation systems, communications, and financial services—are dependent on computerized (cyber) information systems and electronic data to carry out operations and to process, maintain, and report essential information. 1 The security of these systems and data is vital to public confidence and the nation’s safety, prosperity, and well-being.
However, safeguarding federal computer systems and the systems that support critical infrastructures—referred to as cyber critical infrastructure protection—has been a long-standing concern. The security of federal cyber assets has been on our High-Risk List since 1997. In 2003, we expanded this high-risk area to include the protection of critical cyber infrastructure. In 2015, we added protecting the privacy of personally identifiable information (PII) that is collected, maintained, and shared by both federal and nonfederal entities.2
Over the last several years, we have made about 2,500 recommendations to agencies aimed at improving the security of federal systems and information. These recommendations identified actions for agencies to take to strengthen technical security controls over their computer networks and systems. They also include recommendations for agencies to fully implement aspects of their information security programs, as mandated by the Federal Information Security Modernization Act (FISMA) of 2014 and its predecessor, the Federal Information Security Management Act of 2002, and to protect the privacy of PII held on their systems. However, many agencies continue to be challenged in safeguarding their information systems and information, in part because many of these recommendations have not been implemented. As of October 2016, about 1,000 of our information security–related recommendations had not been implemented.
Risks to cyber assets can originate from unintentional and intentional threats. These include insider threats from disaffected or careless employees and business partners, escalating and emerging threats from around the globe, the steady advances in the sophistication of attack technology, and the emergence of new and more destructive attacks. Ineffectively protecting cyber assets can facilitate security incidents and cyberattacks that disrupt critical operations; lead to inappropriate access to and disclosure, modification, or destruction of sensitive information; and threaten national security, economic well-being, and public health and safety.
Regarding PII, advancements in technology, such as new search technology and data analytics software for searching and collecting information, have made it easier for individuals and organizations to correlate data and track it across large and numerous databases. In addition, lower data storage costs have made it less expensive to store vast amounts of data. Also, ubiquitous Internet and cellular connectivity makes it easier to track individuals by allowing easy access to information pinpointing their locations. These advances—combined with the increasing sophistication of hackers and others with malicious intent, and the extent to which both federal agencies and private companies collect sensitive information about individuals—have increased the risk of PII being exposed and compromised.
 Critical infrastructure includes systems and assets so vital to the United States that incapacitating or destroying them would have a debilitating effect on national security. These critical infrastructures are grouped by the following industries or "sectors": chemical; commercial facilities; communications; critical manufacturing; dams; defense industrial base; emergency services; energy; financial services; food and agriculture; government facilities; health care and public health; information technology (IT); nuclear reactors, materials, and waste; transportation systems; and water and wastewater systems.
 PII is any information that can be used to distinguish or trace an individual’s identity, such as name, date and place of birth, Social Security number, or other types of personal information that can be linked to an individual, such as medical, educational, financial, and employment information.
Leadership at the White House and Department of Homeland Security (DHS) demonstrated commitment to improving cybersecurity. For example, the President issued strategy documents for improving aspects of cybersecurity and an executive order (E.O.) and policy directive for improving security and resilience of critical cyber infrastructure. However, challenges remain, such as shortages in qualified cybersecurity personnel and continued weaknesses in agencies’ information security programs. These challenges need to be addressed as initial steps toward removal from the High-Risk List. Furthermore, progress will need to be demonstrated by agencies fully implementing their information security programs and by critical infrastructure sectors improving their cybersecurity.
In addition, Congress enacted legislation intended to strengthen information security across the federal government and to improve the protection of critical cyber assets. The Cybersecurity Act of 2015 established a voluntary framework for sharing cybersecurity threat information between and among the federal government, state governments, and private entities, and protects private sector entities from liability when sharing and receiving cyber threat information. 1 The act also makes DHS’s National Cybersecurity and Communications Integration Center responsible for implementing these mechanisms, requires DHS to offer its intrusion and detection capabilities to any federal agency, and calls for agencies to assess their cyber-related workforce.
- Executive Office of the President (EOP) and federal agencies should implement our approximately 1,000 open recommendations, especially those related to implementing risk-based information security programs.
- The federal government should effectively execute the steps in the government-wide plans, including the Cybersecurity Strategy and Implementation Plan for the Federal Civilian Government,1 Cybersecurity National Action Plan, 2 and Federal Cybersecurity Workforce Strategy.3
- The federal government needs to resolve the government-wide material weakness in information security for 2 consecutive years and reduce factors that contribute to a significant deficiency, as we reported in our annual audits of the financial statements for the United States government.4
Federal agencies need to effectively implement risk-based, entity-wide information security programs consistently over time. The following actions will assist agencies in implementing their information security programs:
- enhance capabilities to effectively identify cyber threats to agency high-impact systems and information,
- implement sustainable processes for securely configuring information systems and networks,
- patch vulnerable systems and replace unsupported software,
- develop comprehensive security test and evaluation procedures and conduct these examinations on a regular and recurring basis, and
- strengthen oversight of contractors providing information technology (IT) services.
The federal government needs to improve its abilities to detect, respond to, and mitigate cyber incidents. The following actions will assist the federal government in these efforts:
- DHS needs to expand capabilities, improve planning, and support wider adoption of its government-wide intrusion detection and prevention system.
- Agencies need to develop and implement complete policies, plans, and procedures for responding to cyber incidents and effectively oversee response activities.
- Agencies need to consistently implement policies and procedures for responding to breaches of PII.
The federal government needs to expand its cyber workforce planning and training efforts. Agencies need to
- enhance efforts for recruiting and retaining a qualified cybersecurity workforce and
- improve cybersecurity workforce planning activities.
The federal government needs to expand efforts to protect cyber critical infrastructure. For example:
- DHS and sector-specific agencies need to collaborate with sector partners to develop performance metrics and determine how to overcome challenges to reporting the results of their cyber risk mitigation activities; and
- DHS needs to assess whether its efforts to share information on cyber threats, incidents, and countermeasures with federal and non-federal entities are useful and effective.
The federal government needs to better oversee the protection of PII contained in electronic health information and health insurance marketplaces. Needed efforts include the following:
- Department of Health and Human Services (HHS) needs to enhance its oversight and guidance related to the actions to protect privacy implemented by entities that maintain electronic health information.
- HHS's Centers for Medicare & Medicaid Services (CMS) needs to ensure that Healthcare.gov and state health insurance marketplaces have effective controls in place to safeguard electronic health information.
- Congress should consider amending privacy laws to more fully protect the PII collected, used, and maintained by the federal government.
 A material weakness is a deficiency, or combination of deficiencies, that results in more than a remote likelihood that a material misstatement on the financial statements will not be prevented or detected. A significant deficiency is a deficiency, or combination of deficiencies, in internal control that is less severe than a material weakness, yet important enough to merit attention by those charged with governance. A control deficiency exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect and correct misstatements on a timely basis.
GAO-16-885T: Published: Sep 19, 2016. Publicly Released: Sep 20, 2016.
Cyber incidents affecting federal agencies have continued to grow, increasing about 1,300 percent from fiscal year 2006 to fiscal year 2015.Cyber Incidents Reported by Federal Agencies, Fiscal Year 2006--2015Several laws and policies establish a framework for the federal government's information security and assign implementation and oversight responsibilities to key federal entities, including th...
GAO-16-513: Published: Aug 30, 2016. Publicly Released: Sep 29, 2016.
Although the Food and Drug Administration (FDA), an agency of the Department of Health and Human Services (HHS), has taken steps to safeguard the seven systems GAO reviewed, a significant number of security control weaknesses jeopardize the confidentiality, integrity, and availability of its information and systems. The agency did not fully or consistently implement access controls, which are inte...
GAO-16-686: Published: Aug 26, 2016. Publicly Released: Sep 15, 2016.
Under the Federal Information Security Modernization Act of 2014 (FISMA 2014), the agency chief information security officer (CISO) has the responsibility to ensure that the agency is meeting the requirements of the law, including developing, documenting, and implementing the agency-wide information security program. However, 13 of the 24 agencies GAO reviewed had not fully defined the role of the...
GAO-16-771: Published: Aug 26, 2016. Publicly Released: Sep 26, 2016.
The use of electronic health information can allow providers to more efficiently share information and give patients easier access to their health information, among other benefits. Nonetheless, systems storing and transmitting health information in electronic form are vulnerable to cyber-based threats. The resulting breaches—involving over 113 million records in 2015—can have serious adverse...
GAO-16-501: Published: May 18, 2016. Publicly Released: Jun 21, 2016.
In GAO's survey of 24 federal agencies, the 18 agencies having high-impact systems identified cyber attacks from “nations” as the most serious and most frequently-occurring threat to the security of their systems. These agencies also noted that attacks delivered through e-mail were the most serious and frequent. During fiscal year 2014, 11 of the 18 agencies reported 2,267 incidents affecting...
GAO-16-317: Published: Apr 21, 2016. Publicly Released: May 9, 2016.
GAO found that the majority of the reviewed websites for smartphone tracking applications (apps) marketed their products to parents or employers to track the location of their children or employees, respectively, or to monitor them in other ways, such as intercepting their smartphone communications. Several tracking apps were marketed to individuals for the purpose of tracking or intercepting the...
GAO-16-350: Published: Mar 24, 2016. Publicly Released: Apr 25, 2016.
Modern vehicles contain multiple interfaces—connections between the vehicle and external networks—that leave vehicle systems, including safety-critical systems, such as braking and steering, vulnerable to cyberattacks. Researchers have shown that these interfaces—if not properly secured—can be exploited through direct, physical access to a vehicle, as well as remotely through short-range a...
GAO-16-265: Published: Mar 23, 2016. Publicly Released: Mar 23, 2016.
The Centers for Medicare & Medicaid Services (CMS) reported 316 security-related incidents, between October 2013 and March 2015, affecting Healthcare.gov—the web portal for the federal health insurance marketplace—and its supporting systems. According to GAO's review of CMS records for this period, the majority of these incidents involved such things as electronic probing of CMS systems by pot...
GAO-16-294: Published: Jan 28, 2016. Publicly Released: Jan 28, 2016.
The Department of Homeland Security's (DHS) National Cybersecurity Protection System (NCPS) is partially, but not fully, meeting its stated system objectives:Intrusion detection: NCPS provides DHS with a limited ability to detect potentially malicious activity entering and exiting computer networks at federal agencies. Specifically, NCPS compares network traffic to known patterns of malicious data...
GAO-16-79: Published: Nov 19, 2015. Publicly Released: Nov 19, 2015.
Sector-specific agencies (SSA) determined the significance of cyber risk to networks and industrial control systems for all 15 of the sectors in the scope of GAO's review. Specifically, they determined that cyber risk was significant for 11 of 15 sectors. Although the SSAs for the remaining four sectors had not determined cyber risks to be significant during their 2010 sector-specific planning pro...