Ensuring the Cybersecurity of the Nation
Federal agencies and our nation’s critical infrastructures—such as energy, transportation systems, communications, and financial services—are dependent on information technology (IT) systems and electronic data to carry out operations and to process, maintain, and report essential information. The security of these systems and data is vital to public confidence and national security, prosperity, and well-being.
Because many of these systems contain vast amounts of personally identifiable information (PII), agencies must protect the confidentiality, integrity, and availability of this information. In addition, they must effectively respond to data breaches and security incidents when they occur.
The risks to IT systems supporting the federal government and the nation’s critical infrastructure are increasing, including insider threats from witting or unwitting employees, escalating and emerging threats from around the globe, and the emergence of new and more destructive attacks.
We have designated information security as a government-wide high-risk area since 1997. We expanded this high-risk area in 2003 to include protection of critical cyber infrastructure and, in 2015, to include protecting the privacy of PII.
Since our previous 2017 High-Risk Report, our assessment of efforts to address all five criteria remains unchanged.
Leadership commitment: met. In May 2017, the President issued an executive order requiring federal agencies to take a variety of actions, including better managing their cybersecurity risks and coordinating to meet reporting requirements related to cybersecurity of federal networks and critical infrastructure. Further, in December 2017, the President issued a National Security Strategy citing cybersecurity as a national priority and identifying needed actions, such as identifying and prioritizing risk and building defensible government networks.
The administration further described its planned approach to cybersecurity with the release of a National Cyber Strategy in September 2018. This national strategy outlines activities such as securing critical infrastructure, federal networks, and associated information, as well as developing the cybersecurity workforce. To lead the nation’s cybersecurity response activities, in November 2018, the President signed the Cybersecurity and Infrastructure Security Agency Act of 2018 into law. Among other things, the law enables the Department of Homeland Security (DHS) to restructure the existing cybersecurity components within the National Protection and Programs Directorate to create a new cyber-focused agency.
Capacity: partially met. In June 2018, the administration issued a government-wide reform plan and reorganization recommendations that included, among other things, proposals for solving the federal cybersecurity workforce shortage. In particular, the plan notes the administration’s intent to prioritize and accelerate ongoing efforts to reform the way that the federal government recruits, evaluates, selects, pays, and places cyber talent. The plan further states that, by the end of the first quarter of fiscal year 2019, all 24 major federal agencies, in coordination with DHS and the Office of Management and Budget (OMB), are to develop a critical list of vacancies across their organizations.
Nevertheless, the federal government continues to face challenges in ensuring that the nation’s cybersecurity workforce has the appropriate skills. For example, we have previously reported that DHS and the Department of Defense had not fully addressed cybersecurity workforce management requirements set forth in federal laws. Further, as of June 2018, most of the 24 major federal agencies had not fully implemented all requirements associated with the Federal Cybersecurity Workforce Assessment Act of 2015. For example, three agencies had not conducted a baseline assessment to identify the extent to which their cybersecurity employees held professional certifications. As a result, these agencies may not be able to effectively gauge the competency of individuals who are charged with ensuring the confidentiality, integrity, and availability of federal information and information systems.
Action plan: partially met. In response to the May 2017 presidential executive order, DHS issued a cybersecurity strategy in May 2018 that articulated seven goals the department plans to accomplish in support of its mission related to managing national cybersecurity risks over the next 5 years. Further, OMB issued the Federal Cybersecurity Risk Assessment and Action Plan in August 2018. The assessment stated that OMB and DHS examined the capabilities of 96 civilian agencies across 76 cybersecurity metrics and found that 71 agencies had cybersecurity programs that were either at risk or at high risk. The assessment also stated that agencies were not equipped to determine how malicious actors seek to gain access to their information systems and data. The assessment identified core actions to address cybersecurity risks across the federal enterprise.
Additionally, the September 2018 National Cyber Strategy outlined the administration’s approach to cybersecurity through a variety of priority actions, such as centralizing management and oversight of federal civilian cybersecurity. However, the strategy lacks key elements that we have previously reported can enhance the usefulness of a national strategy, including clearly defined roles and responsibilities, and information on the resources needed to carry out the goals and objectives. Although the strategy states that National Security Council staff are to coordinate with departments, agencies, and OMB to determine the resources needed to support the strategy’s implementation, it is unclear what official maintains overall responsibility for coordinating these efforts, especially in light of the elimination of the White House Cybersecurity Coordinator position in May 2018.1
Going forward, it will be critical for the White House to clearly define the roles and responsibilities of key agencies and officials in order to foster effective coordination and hold agencies accountable for carrying out planned activities to address the cybersecurity challenges facing the nation. We have work underway examining federal roles and responsibilities for protecting the nation against cyber threats, including the implications of the decision to eliminate the cybersecurity coordinator position. We expect to report on the results of our work by the end of fiscal year 2019.
Monitoring: partially met. DHS has established the National Cybersecurity and Communications Integration Center (NCCIC), which functions as the 24/7 cyber monitoring, incident response, and management center for the federal civilian government. The United States Computer Emergency Readiness Team, one of several subcomponents of the NCCIC, is responsible for operating the National Cybersecurity Protection System. Operationally known as Einstein, this system is intended to provide DHS with situational awareness related to cybersecurity of entities across the federal government, through intrusion detection and prevention capabilities.
Nevertheless, DHS has continued to be challenged in measuring how the NCCIC is performing its functions in accordance with mandated implementing principles. For example, NCCIC is to provide timely technical assistance, risk management support, and incident response capabilities to federal and nonfederal entities; however, as of December 2018, it had not established measures or other procedures for ensuring the timeliness of these assessments, as we previously recommended.
We also continued to find persistent weaknesses in federal agencies’ monitoring of their information security programs. The Federal Information Security Modernization Act of 2014 (and its predecessor the Federal Information Security Management Act of 2002) requires federal agencies in the executive branch to develop, document, and implement an information security program and evaluate it for effectiveness. Our numerous security control audits have identified hundreds of deficiencies related to agencies’ implementation of effective security controls.
Demonstrated progress: partially met. Since 2010, we have made over 3,000 recommendations to agencies aimed at addressing cybersecurity challenges facing the government—448 of which were made since the last high-risk update in February 2017. Nevertheless, many agencies face challenges in safeguarding their information systems and information, in part because many of these recommendations have not been fully implemented. Of the roughly 3,000 recommendations made since 2010, nearly 700 had not been fully implemented as of December 2018. We have also designated 35 as priority recommendations, meaning that we believe these recommendations warrant priority attention from heads of key departments and agencies. As of December 2018, 26 of our priority recommendations had not been fully implemented.
 The White House Cybersecurity Coordinator position was created in December 2009 to, among other things, coordinate interagency cybersecurity policies and strategies, and to develop a comprehensive national strategy to secure the nation’s digital infrastructure.
Based on our prior work, we have identified four major cybersecurity challenges: (1) establishing a comprehensive cybersecurity strategy and performing effective oversight, (2) securing federal systems and information, (3) protecting cyber critical infrastructure, and (4) protecting privacy and sensitive data. To address these challenges, we have identified 10 critical actions that the federal government and other entities need to take (see figure 12).
Ten Critical Actions Needed to Address Four Major Cybersecurity Challenges
Congressional Actions Needed
We also have previously suggested that Congress consider amending laws, such as the Privacy Act of 1974 and the E-Government Act of 2002, because they may not consistently protect PII. Specifically, we found that while these laws and guidance set minimum requirements for agencies, they may not consistently protect PII in all circumstances of its collection and use throughout the federal government, and may not fully adhere to key privacy principles. However, the relevant revisions to the Privacy Act and the E-Government Act had not yet been enacted as of the date of this report.
Further, we suggested that Congress consider strengthening the consumer privacy framework and review issues such as the adequacy of consumers’ ability to access, correct, and control their personal information; and privacy controls related to new technologies such as web tracking and mobile devices. However, these suggested changes had not yet been enacted as of the date of this report.
GAO-19-143R: Published: Nov 13, 2018. Publicly Released: Nov 13, 2018.
The Office of Personnel Management (OPM) has made progress in implementing GAO's recommendations, but further efforts remain. As of September 20, 2018, OPM had implemented 51 (about 64 percent) of the 80 recommendations, but had not provided any evidence, or provided insufficient evidence, to demonstrate implementation of the remaining recommendations, as shown in table 1.Table 1: OPM’s Implemen...
GAO-18-518: Published: Sep 17, 2018. Publicly Released: Sep 17, 2018.
The Department of Education's Office of Federal Student Aid (FSA) partners with various entities (“non-school partners”) that are involved primarily in supporting the repayment and collection of student loans.Federal loan servicers are responsible for collecting payments on loans and providing customer service to borrowers on behalf of the Department of Education through its Direct Loan progr...
GAO-18-559: Published: Aug 30, 2018. Publicly Released: Sep 7, 2018.
Hackers stole the personal data of nearly 150 million people from Equifax databases in 2017. How did Equifax, a consumer reporting agency, respond to that event? Equifax said that it investigated factors that led to the breach and tried to identify and notify people whose personal information was compromised. In addition, three federal agencies that use Equifax services made their own security a...
GAO-18-391: Published: Jul 31, 2018. Publicly Released: Jul 31, 2018.
IRS must keep its computer systems secure to protect sensitive financial and taxpayer information. We assessed whether it had effective controls in place to safeguard this information in fiscal 2016 and 2017. We found IRS made progress in resolving a number of previously reported deficiencies, such as enforcing the use of encryption. However, we found continuing and new deficiencies, such as unen...
GAO-18-645T: Published: Jul 25, 2018. Publicly Released: Jul 25, 2018.
GAO has identified four major cybersecurity challenges and 10 critical actions that the federal government and other entities need to take to address them. GAO continues to designate information security as a government-wide high-risk area due to increasing cyber-based threats and the persistent nature of security vulnerabilities.Ten Critical Actions Needed to Address Four Major Cybersecurity Chal...
GAO-18-667T: Published: Jul 12, 2018. Publicly Released: Jul 12, 2018.
Reliance on a global supply chain introduces multiple risks to federal information systems. Supply chain threats are present during the various phases of an information system's development life cycle and could create an unacceptable risk to federal agencies. Information technology (IT) supply chain-related threats are varied and can include:installation of intentionally harmful hardware or softwa...
GAO-18-210: Published: Mar 6, 2018. Publicly Released: Apr 5, 2018.
The Centers for Medicare and Medicaid Services (CMS) shares Medicare beneficiary data with three major types of external entities: (1) Medicare Administrative Contractors (MAC) that perform processing and distribution functions that support the payment of Medicare benefits; (2) research organizations (researchers) that use Medicare beneficiary data to study how health care services are provided to...
GAO-18-211: Published: Feb 15, 2018. Publicly Released: Feb 15, 2018.
Most of the 16 critical infrastructure sectors took action to facilitate adoption of the National Institute of Standards and Technology's (NIST) Framework for Improving Critical Infrastructure Cybersecurity by entities within their sectors. Federal policy directs nine federal lead agencies—referred to as sector-specific agencies (SSA)—in consultation with the Department of Homeland Securit...
GAO-18-175: Published: Feb 6, 2018. Publicly Released: Feb 6, 2018.
The Department of Homeland Security (DHS) has taken actions to identify, categorize, and assign employment codes to its cybersecurity positions, as required by the Homeland Security Cybersecurity Workforce Assessment Act of 2014; however, its actions have not been timely and complete. For example, DHS did not establish timely and complete procedures to identify, categorize, and code its cybersecu...