Key Issues > High Risk > Ensuring the Security of Federal Information Systems and Cyber Critical Infrastructure and Protecting the Privacy of Personally Identifiable Information
High Risk Medallion

Ensuring the Security of Federal Information Systems and Cyber Critical Infrastructure and Protecting the Privacy of Personally Identifiable Information

This information appears as published in the 2015 High Risk Report.

View the 2015 Report

  1. Share with Facebook 
  2. Share with Twitter 
  3. Share with LinkedIn 
  4. Share with mail 

Federal agencies and our nation’s critical infrastructures—such as energy, transportation systems, communications, and financial services—are dependent on computerized (cyber) information systems and electronic data to carry out operations and to process, maintain, and report essential information.[1] The security of these systems and data is vital to public confidence and the nation’s safety, prosperity, and well-being. Safeguarding federal computer systems and the systems that support critical infrastructures—referred to as cyber critical infrastructure protection—is a continuing concern. The security of our federal cyber assets has been on our list of high-risk areas since 1997. In 2003, we expanded this high-risk area to include the protection of critical cyber infrastructure. This year, we added protecting the privacy of personally identifiable information (PII)—information that is collected, maintained, and shared by both federal and nonfederal entities.

Risks to cyber assets can originate from unintentional and intentional threats. These include insider threats from disaffected or careless employees and business partners, escalating and emerging threats from around the globe, the ease of obtaining and using hacking tools, the steady advance in the sophistication of attack technology, and the emergence of new and more destructive attacks. The ineffective protection of cyber assets can result in the loss or unauthorized disclosure or alteration of information. This could lead to serious consequences and result in substantial harm to individuals and to the federal government.

Regarding PII, advancements in technology, such as new search technology and data analytics software for searching and collecting information, have made it easier for individuals and organizations to correlate data and track it across large and numerous databases. In addition, lower data storage costs have made it less expensive to store vast amounts of data. Also, ubiquitous Internet and cellular connectivity facilitates the tracking of individuals by allowing easy access to information pinpointing their location. These advances—combined with the increasing sophistication of hackers and others with malicious intent, and the extent to which both federal agencies and private companies collect sensitive information about individuals—have increased the risk of PII being exposed and compromised. Furthermore, the number of reported security incidents involving PII at federal agencies has increased significantly in recent years and a number of high-profile breaches of PII have occurred at commercial entities.[2] For these reasons, we added protecting the privacy of PII to this high-risk area.

[1] Critical infrastructure includes systems and assets so vital to the United States that their incapacity or destruction would have a debilitating impact on national security. These critical infrastructures are chemical; commercial facilities; communications; critical manufacturing; dams; defense industrial base; emergency services; energy; financial services; food and agriculture; government facilities; health care and public health; information technology; nuclear reactors, materials, and waste; transportation systems; and water and wastewater systems.

[2] A breach of data refers to an unauthorized or unintentional exposure, disclosure, or loss of sensitive information.

Ensuring the Security of Federal Information Systems and Cyber Critical Infrastructure and Protecting the Privacy of Personally Identifiable Information

Leadership at the White House and Department of Homeland Security (DHS) have committed to improving cybersecurity. For example, the President has issued strategy documents for improving aspects of cybersecurity and an executive order and policy directive for improving security and resilience of critical cyber infrastructure. In addition, Congress has recently enacted legislation intended to strengthen information security across the federal government and to improve the protection of critical cyber assets. This legislation needs to be effectively implemented and challenges remain, such as shortages in qualified cybersecurity personnel and continued weaknesses in agencies’ information security programs. These challenges need to be addressed as initial steps toward removal from the High Risk List. Furthermore, progress will need to be demonstrated by agencies fully implementing their information security programs and by critical infrastructure sectors improving their cybersecurity.

The White House and senior leaders at DHS have met the criterion of demonstrating top leadership commitment to securing federal information systems and critical cyber assets and protecting privacy. For example, the President has signed legislation and issued strategy documents for improving aspects of cybersecurity. In addition, senior leaders at DHS have committed time and resources to advancing cybersecurity efforts at federal agencies and within critical infrastructures.[1]

As part of its ongoing oversight, Congress recently enacted five laws that are intended to improve federal cybersecurity. The first, The Federal Information Security Modernization Act of 2014, revises the Federal Information Security Management Act of 2002 (FISMA).[2] Among other things, the act includes provisions to clarify and strengthen information security roles and responsibilities for the Office of Management and Budget (OMB), DHS, and federal agencies. Specifically, the act codifies and clarifies existing requirements for DHS to 1) assist OMB with overseeing and monitoring agencies’ implementation of security requirements; 2) operate the federal information security incident center; and 3) provide agencies with operational and technical assistance, such as that for continuously diagnosing and mitigating cyber threats and vulnerabilities. Furthermore, the act provides for the expanded reporting of security incidents and data breaches; requires OMB to annually assess agencies’ implementation of data breach notification policies and procedures; and specifies that the agency head ensure all personnel are held accountable for complying with information security. Finally, the act also calls for OMB to revise OMB Circular A-130 to eliminate inefficient or wasteful reporting. This law is consistent with our prior suggestion that Congress consider legislation to better define roles and responsibilities for implementing and overseeing federal information security.

The second and third laws are intended to help DHS address its cybersecurity workforce challenges. The Cybersecurity Workforce Assessment Act requires DHS to assess its cybersecurity workforce and develop a strategy for addressing workforce gaps, and The Homeland Security Cybersecurity Workforce Assessment Act requires DHS to identify all of its cybersecurity positions and calls for the department to identify specialty areas of critical need in its cybersecurity workforce.[3] Both of these laws are consistent with our recommendations for actions to improve governmentwide cybersecurity workforce planning initiatives and workforce planning efforts at the agencies we reviewed.

The fourth, The National Cybersecurity Protection Act of 2014, codifies the role of DHS’ National Cybersecurity and Communications Integration Center as the federal civilian interface for sharing information concerning cybersecurity risks, incidents, analysis, and warnings for federal and non-federal entities, including owners and operators of information systems supporting critical infrastructure.[4] It directs DHS to provide shared situational awareness to federal and non-federal entities to enable real time visibility of cybersecurity risks and incidents. The act requires DHS to coordinate the sharing of information related to cybersecurity risks and incidents and, upon request, to provide timely technical assistance, risk management support, and incident response capabilities to federal and non-federal entities. The act is consistent with our recommendation that the Special Assistant to the President and Cybersecurity Coordinator and the Secretary of Homeland Security bolster efforts to build out the National Cybersecurity and Communications Integration Center as the central focal point for leveraging and integrating the capabilities of the private sector, civilian government, law enforcement, the military, and the intelligence community. It also addresses our prior suggestion that Congress consider legislation to better define roles and responsibilities for protecting the nation’s critical cyber assets.

The fifth, The Cybersecurity Enhancement Act of 2014, among other things, authorizes the National Institute of Standards and Technology (NIST) to facilitate and support the development of voluntary standards to reduce cyber risks to critical infrastructure and to continue to develop and encourage the implementation of a comprehensive strategy for the use and adoption of cloud computing services by the federal government.[5] These provisions are consistent with our work highlighting NIST’s role in providing guidance to agencies and illustrating agencies’ challenges in implementing cloud computing. In addition, the act requires the Office of Science and Technology Policy (OSTP) in the Executive Office of the President to facilitate agencies development of a federal cybersecurity research and development plan. This law is consistent with our recommendations that the Director of the OSTP, in conjunction with the national Cybersecurity Coordinator, take several actions to address key cybersecurity research and development challenges.

Senior leadership at OMB and DHS have partially met the criterion for improving the capacity of federal agencies to sufficiently protect their information systems. For example, DHS expanded the capacity of the National Cybersecurity and Communications Integration Center to improve the capability of federal stakeholders to share cyber information with the private sector owners and operators who own the vast majority of the nation’s critical infrastructure. In addition, DHS is spearheading an initiative to enhance the capabilities of federal agencies to continuously diagnose and mitigate information security vulnerabilities. However, more needs to be done to address shortages in qualified cybersecurity professionals. Officials at several agencies have identified concerns with the availability of qualified candidates for certain highly technical positions, such as network security engineers, malware analysts, and computer forensics experts. Previously, we reported that the extent to which federal agencies had implemented and established workforce planning practices for cybersecurity personnel varied by agency and that workforce plans at most (six of eight) agencies we reviewed did not fully define cybersecurity needs.[6] We recommended that the agencies take steps to improve their cybersecurity workforce planning and that agencies involved with government-wide cybersecurity workforce initiatives, such as DHS, take actions to improve coordination and planning for those initiatives.

The White House and DHS have partially met the criterion for having a corrective action plan to improve the protection of cyber assets. For example, the White House and DHS have issued various strategies and corrective action plans over the years to mitigate known cyber deficiencies and threats. However, the strategies and plans sometimes omitted (1) key elements such as milestones, performance metrics, required resources, roles, and responsibilities; and (2) key challenge areas such as developing risk-based information security programs. The President also issued Executive Order 13636, which outlines an action plan for improving security for critical cyber infrastructure. This includes developing a cybersecurity framework, performance measures, and incentives for its implementation. While some actions have been taken to address the Executive Order, such as NIST’s development of a critical infrastructure cybersecurity framework, others are ongoing.

The White House, OMB, and federal agencies have partially met the criterion for implementing programs to monitor corrective actions. For example, the White House and OMB have continued to monitor and track the performance of agencies’ capabilities in the cybersecurity cross-agency priority areas related to continuous monitoring and strong authentication, and have added antiphishing and malware defense as a priority area for fiscal year 2015. However, agencies did not meet the overall fiscal year 2014 performance targets for continuous monitoring and strong authentication. In addition, OMB and DHS have continued to monitor agencies’ implementation of information security requirements using FISMA metrics that are tracked in the CyberScope system.[7] Nonetheless, we have previously reported that the paucity of metrics that measure the effectiveness of those activities limits the usefulness of the system for monitoring how well agencies are securing their computer systems and networks.[8] DHS has also conducted CyberStat reviews that are intended to hold agencies accountable and offer assistance for improving their information security posture.[9] Nonetheless, we have previously reported that more actions could be taken to better oversee and assist agencies with improving their information security practices. Continued improvement and implementation of these capabilities and activities are steps in the right direction and could enhance federal information security.

Federal stakeholders also need to enhance their coordination and monitoring efforts with private sector entities to facilitate improvements to the cybersecurity of critical infrastructure, including the adoption or use of a cybersecurity framework. In February 2014, NIST completed the development of the initial version of the cybersecurity framework. This framework, among other things, is intended to enable organizations to apply risk management principles for improving the security of critical infrastructures. It also is designed to provide multiple approaches to cybersecurity by assembling standards, guidelines, and practices that are being used in industry today.

Federal agencies and DHS have partially met the criterion of demonstrating progress in implementing many of the requirements for securing federal systems and networks. For example, some agencies have established certain components of their information security programs, but not others. Also, DHS has established a program to promote critical infrastructure sectors’ use of NIST’s cybersecurity framework.

However, cyber threats and incidents to systems supporting the federal government and national critical infrastructures are increasing. These threats come from a variety of sources and vary in terms of the types and capabilities of the actors, their willingness to act, and their motives. For example, advanced persistent threats—where adversaries possess sophisticated levels of expertise and significant resources to pursue their objectives—pose increasing risks. Further underscoring this risk are the increases in incidents that could threaten national security, public health, and safety, or lead to inappropriate access to and disclosure, modification, or destruction of sensitive information. Such incidents may be unintentional, such as a service disruption due to an equipment failure or a natural event, or intentional, where for example, a hacker attacks a computer network or system. Over the past 8 years, the number of information security incidents reported by federal agencies to the U.S. Computer Emergency Readiness Team (US-CERT) has increased from 5,503 in fiscal year 2006 to 67,168 in fiscal year 2014, an increase of 1,121 percent (see figure 8).[10]

Figure 8: Incidents Reported to US-CERT by Federal Agencies in Fiscal Years 2006-2014

Figure 8: Incidents Reported to US-CERT by Federal Agencies in Fiscal Years 2006-2014

In addition, the federal government continues to face challenges in effectively implementing cybersecurity policies. GAO and agency inspector general reports have identified challenges in a number of key areas of the government’s approach to cybersecurity, including those related to protecting government information and systems and the nation’s critical cyber infrastructures. These challenges remain in the following areas.

  • Designing and implementing risk-based cybersecurity programs at federal agencies. Shortcomings persist in assessing risks, developing and implementing security controls, and monitoring results at federal agencies. Specifically, for fiscal year 2014, 17 of the 24 major federal agencies covered by the Chief Financial Officers Act reported that information security control deficiencies were either a material weakness or significant deficiency in internal controls over financial reporting.[11] Further, inspectors general at 22 of the 24 agencies cited information security as a major management challenge for their agency.[12] For fiscal year 2014, most of the agencies had information security weaknesses in the majority of five key control categories: limiting, preventing, and detecting inappropriate access to computer resources; managing the configuration of software and hardware; segregating duties to ensure that a single individual does not have control over all key aspects of a computer-related operation; planning for continuity of operations in the event of a disaster or disruption; and implementing agencywide information security management programs that are critical to identifying control deficiencies, resolving problems, and managing risks regularly (see figure 9).

Figure 9: Information Security Weaknesses at Major Federal Agencies for Fiscal Year 2014

Figure 9: Information Security Weaknesses at Major Federal Agencies for Fiscal Year 2014

  • Managing risks to the global information technology (IT) supply chain. Reliance on a global supply chain for IT products and services introduces risks to systems. Federal agencies have not always addressed them. Specifically, in March 2012, we reported that four national security-related agencies varied in the extent to which they had defined supply chain protection measures for their information systems and that two were not in a position to develop implementing procedures and monitoring capabilities for the measures.[13] We recommended that three of the four agencies we reviewed take steps to better address IT supply chain-related security risks. The agencies concurred with our recommendations.
  • Addressing cybersecurity for the nation’s critical infrastructures. In December 2014, we reported that although DHS and other stakeholders were taking preliminary steps to address cyber risk to building and access control systems, significant work remained.[14] Specifically, DHS lacked a strategy for addressing cyber risk and the department’s Interagency Security Committee (ISC), responsible for developing physical security standards for nonmilitary federal facilities, had not incorporated cyber threats to building and access control systems in its threat report to federal agencies. In addition, the General Services Administration (GSA) had not fully assessed the risk of building control systems to a cyber attack in a manner that was consistent with FISMA or its implementation guidelines. We recommended that DHS develop and implement a strategy to address cyber risk to building and access control systems and direct ISC to revise its threat report to include cyber threats to building and access control systems. We also recommended that GSA assess cyber risk of its building control systems by fully reflecting FISMA and its guidelines. DHS and GSA agreed with our recommendations.
    In June 2014, we reported that federal efforts to address cybersecurity in the maritime port environment had been limited.[15] For example, while the Coast Guard had initiated a number of activities to improve physical security in specific ports, it had not (1) conducted a risk assessment that fully addressed cyber-related threats, vulnerabilities, and consequences; or (2) provided guidance that ensured the maritime security plans required by law and regulation identified or addressed potential cyber-related threats and vulnerabilities. Also, in January 2014, we reported, among other things, that critical infrastructure planning for the cybersecurity of state and local public safety entities involved in handling 911 emergency calls did not address the development and implementation of more interconnected, Internet-based information technologies.[16] In addition, we reported in April 2013 that, along with other things, DHS and its partners had not developed outcome-based performance measures related to the cyber protection of key parts of the communications infrastructure sector.[17] We concluded that outcome-based metrics related to communications networks and critical components supporting the Internet would provide federal decision makers with additional insight into the effectiveness of partner protection efforts at the sector level.
  • Enhancing oversight of contractors providing IT services. In August 2014, we reported that five of the six agencies reviewed were inconsistent in overseeing the execution and review of security assessments that were intended to determine the effectiveness of contractor implementation of controls, resulting in security lapses.[18] A contributing reason for these shortfalls was that agencies had not documented IT security procedures for officials to follow to effectively oversee contractor performance. In addition, according to OMB, 16 of 24 inspectors general reported that their agency’s program for managing contractor systems lacked at least one required element. For example, 11 agencies did not obtain sufficient assurance that security controls of such systems and services had been effectively implemented and complied with federal and organizational requirements, and 9 agencies had contractor owned or operated systems that were not compliant with FISMA requirements, OMB policy, and applicable NIST guidelines. We recommended that OMB, in collaboration with DHS, develop and clarify reporting guidance to agencies for annually reporting the number of contractor-operated systems. We also recommended that the reviewed agencies develop, document, and implement IT security oversight procedures for their contractor-operated systems. OMB did not provide any comments, but the agencies we reviewed generally concurred with our recommendations.
  • Improving security incident response practices. In April 2014, we reported that the 24 major federal agencies did not consistently demonstrate that they had been effectively responding to cyber incidents.[19] Based on the statistical sample of cyber incidents reported in fiscal year 2012, we projected that these agencies did not completely document actions taken in response to detected incidents in about 65 percent of cases (with 95 percent confidence that the estimate falls between 58 and 72 percent). For example, agencies did not consistently demonstrate that they had determined the impact of incidents or taken actions to prevent recurrence of an incident. Although all six agencies we reviewed in depth had developed parts of policies, plans, and procedures to guide their cyber incident response activities, agencies’ efforts were not comprehensive or fully consistent with federal requirements. We recommended that OMB and DHS address agency incident response practices government-wide, in particular through CyberStat meetings, and also recommended that the reviewed agencies take actions to improve the effectiveness of their cyber incident response programs. The agencies generally concurred with our recommendations.
  • Implementing security programs at small agencies. In June 2014, we reported that while small agencies had developed many of the requirements of an information security program, their programs had not been fully implemented.[20] Specifically, four of the six agencies reviewed had developed an information security program that included risk assessments, security policies and procedures, system security plans, security awareness training, periodic testing and evaluation, remedial action plans, incident handling, and contingency planning. However, key elements of their plans, policies, or procedures in these areas were outdated, incomplete, or did not exist. In addition, two of the six agencies did not develop an information security program with the required FISMA elements. We recommended that OMB include in its annual report to Congress on agencies’ implementation of FISMA a list of agencies that did not report on the implementation of their information security programs, and information on small agencies’ implementation of privacy requirements. We also recommended that DHS develop services and guidance targeted to small and micro agencies. OMB and DHS generally concurred with our recommendations.

With regards to protecting the privacy of personally identifiable information, actions have been taken but more needs to be done. The president has issued a consumer privacy “bill of rights” intended to be a blueprint for privacy in the information age. He has also established a presidentially-chartered review group on intelligence and communications technologies that has made recommendations intended to strengthen personal privacy protections while maintaining national security. Nevertheless, the federal government continues to face challenges in effectively addressing increasing concerns about the protection of the privacy of personally identifiable information (PII). The number of reported security incidents involving PII at federal agencies has increased in recent years, rising from 10,481 incidents in 2009 to 27,624 incidents in 2014. (See figure 10)

Figure 10: Incidents Involving PII, Fiscal Years 2009 – 2014

Figure 10: Incidents Involving PII, Fiscal Years 2009 – 2014

In addition, the recent high-profile breaches of PII at federal agencies and commercial entities have heightened concerns that personal privacy is not being adequately protected. For example:

  • In September 2014, a cyber intrusion into the United States Postal Service’s information systems may have compromised PII for more than 800,000 of its employees.
  • In March 2014, a cyber attack on the Office of Personnel Management’s system for maintaining security clearance information could have exposed the PII of thousands of federal employees.
  • Credit and debit card information of 56 million customers of Home Depot, Inc. may have been compromised in a 5-month attack on its payment terminals.
  • Credit and debit card information for 40 million customers of Target was stolen by hackers in November and December 2013.

We have previously identified PII-related challenges for Congress and federal agencies to address in the following areas.

  • Updating federal law. We testified in July 2012 that technological developments since the Privacy Act became law in 1974 had rendered some of the provisions of the Privacy Act and the E-Government Act of 2002 inadequate to fully protect all PII collected, used, and maintained by the federal government.[21] In addition, we suggested that Congress consider amending those laws by revising their scope to cover all PII collected, used, and maintained by the federal government; setting requirements to ensure that the collection and use of PII is limited to a stated purpose; and establishing additional mechanisms for informing the public about privacy protections by revising requirements for the structure and publication of public notices.
  • Implementing programs to protect privacy and PII. In September 2014, we reported that the Centers for Medicare & Medicaid Services had not fully assessed privacy risks associated with handling PII or identified mitigating controls to address such risks when it prepared privacy impact assessments for its major systems.[22] It also had not established computer matching agreements with two federal agencies that each had a role in verifying information submitted by healthcare coverage applicants. We recommended, among other things, that all privacy risks associated with be analyzed and documented in privacy impact assessments, and that computer matching agreements be established with the two federal agencies with which it did not have an agreement. HHS generally concurred, but disagreed in part with our assessment that its privacy impact assessments did not fully address privacy risks associated with operations.

In June 2014, we also reported that the six small agencies we reviewed had mixed progress in implementing privacy requirements.[23] For example, although five of the six agencies had assigned a senior official for privacy, most of the agencies did not consistently issue system of records notices or conduct privacy impact assessments for all systems containing personally identifiable information. We recommended, among other things, that the Director of OMB include in the annual report to Congress on agencies’ implementation of FISMA, information on small agencies’ implementation of privacy requirements. OMB generally concurred with our recommendations.

  • Consistently implementing requirements for computer matching programs. The Computer Matching Act, which modifies the Privacy Act, aims to ensure that privacy is protected when agencies compare data across different systems to, among other things, assist in making determinations about benefits. In January 2014, we reported that the seven federal agencies we reviewed had implemented the act’s requirements inconsistently.[24] Agencies interpreted the act’s requirements in varied ways leading to inconsistent policies and procedures. Further, the act’s requirements may discourage agencies from using computer matching because the required processes are lengthy and resource-intensive. We recommended that the seven reviewed agencies take steps to improve their implementation of the act. Six of the seven agencies generally agreed with our recommendations.
  • Responding to breaches of PII. In December 2013, we reported that the eight federal agencies we reviewed had inconsistently implemented policies and procedures for responding to a data breach involving PII.[25] Inconsistent implementation occurred in areas such as documenting how risk levels had been determined, offering credit monitoring to affected individuals, and evaluating lessons learned from incidents. In addition, OMB requirements for agency reporting of PII-related data breaches were not always feasible or necessary. We concluded that agencies may not be consistently taking actions to limit the risk to individuals from PII-related data breaches, and may be expending resources to meet OMB reporting requirements that provide little value and divert time and attention from responding to a breach. We recommended that OMB revise its guidance on federal agencies’ responses to a PII-related data breach and also recommended that the reviewed agencies take specific actions to improve their response to data breaches involving PII. OMB neither agreed nor disagreed with our recommendations. Of the eight agencies we reviewed, four agreed with all our recommendations, two partially agreed, and the remaining two neither agreed nor disagreed.
  • Better protecting privacy of mobile device location data. In September 2012, we reported on concerns among privacy advocates that consumers may be unaware of how location data captured by their smartphones is shared and used by third parties, and could be at risk of identity theft or other harm if that information is misused or inadequately protected.[26] The Department of Commerce’s National Telecommunications and Information Administration (NTIA) planned a multistakeholder process to develop codes of conduct for protecting the privacy of location data, but specific goals, milestones, and performance measures for that effort had not been set. We recommended that NTIA develop such goals, milestones, and performance measures, and that the Federal Trade Commission consider issuing guidance to mobile companies on appropriate actions for protecting the privacy of location data. The Department of Commerce disagreed with our recommendation to NTIA, but the Federal Trade Commission agreed with our recommendation and implemented it.

Furthermore, revelations about the extent to which private companies collect detailed information about the activities of individuals have raised concerns about the potential for significant erosion of personal privacy. For example, private sector uses of PII through data analytics programs raise concerns about transparency (the analytical activities are done in “secret”), context (the data being analyzed may be specific to a certain context, which is lost when it is combined with other data), accuracy (the data may be inaccurate or out of date, or they may not be sufficiently accurate for the new purpose), and redress (individuals adversely affected by the analytical results have no way to correct the problem or be compensated for any resulting hardship).

In September 2013, we noted that no overarching federal privacy law governs the collection and sale of personal information among private-sector companies, including information resellers (companies that collect and resell information on individuals).[27] We also concluded that the current statutory framework for consumer privacy does not fully address new technologies—such as the tracking of online behavior or mobile devices—and the vastly increased marketplace for personal information, including the proliferation of information sharing among third parties.

[1] In 2010, DHS was assigned OMB’s operational cybersecurity responsibilities by OMB Memorandum M-10-28 (July 6, 2010).

[2] The 2002 FISMA was enacted as Title III, E-Government Act of 2002, Pub. L. No. 107-347(Dec. 17, 2002). The 2014 Federal Information Security Modernization Act superseded the 2002 FISMA on December 18, 2014, Pub. L. No. 113-283 (Dec. 18, 2014).

[3] Pub. L. No. 113-246 (Dec. 18, 2014) and Sec. 4, Pub. L. No. 113-277 (Dec, 18, 2014).

[4] Pub. L. No. 113-282 (Dec. 18, 2014).

[5] Pub. L. No. 113-274 (Dec. 18, 2014).

[6]GAO, Cybersecurity Human Capital: Initiatives Need Better Planning and Coordination, GAO‑12‑8 (Washington, D.C.: Nov. 29, 2011).

[7]Subsequent references to FISMA relate to FISMA 2002, unless noted otherwise.

Cyberscope is an interactive data collection tool that has the capability to receive data feeds on a recurring basis to assess the security posture of a federal agency’s information infrastructure.

[8] GAO, Federal Information Security: Mixed Progress in Implementing Program Components; Improved Metrics Needed to Measure Effectiveness, GAO-13-776 (Washington, D.C.: Sept. 26, 2013).

[9] CyberStat reviews are in-depth sessions with national security staff, OMB, DHS, and an agency to discuss that agency’s cybersecurity posture and discuss opportunities for collaboration.

[10] These totals represent both paper-based and cyber-related incidents reported by federal agencies.

[11] We did not receive a fiscal year 2014 annual financial report from the Department of Housing and Urban Development (HUD). The report will not be available until March 2015.

The 24 major departments and agencies are the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, Housing and Urban Development, the Interior, Justice, Labor, State, Transportation, the Treasury, and Veterans Affairs; the Environmental Protection Agency, General Services Administration, National Aeronautics and Space Administration, National Science Foundation, Nuclear Regulatory Commission, Office of Personnel Management, Small Business Administration, Social Security Administration, and U.S. Agency for International Development.

A material weakness is a deficiency, or combination of deficiencies, that results in more than a remote likelihood that a material misstatement of the financial statements will not be prevented or detected. A significant deficiency is a deficiency, or combination of deficiencies, in internal control that is less severe than a material weakness, yet important enough to merit attention by those charged with governance. A control deficiency exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect and correct misstatements on a timely basis.

[12] We did not receive a fiscal year 2014 annual financial report from HUD. The report will not be available until March 2015.

[13] GAO, IT Supply Chain: National Security-Related Agencies Need to Better Address Risks, GAO‑12‑361 (Washington, D.C.: Mar. 23, 2012).

[14] Building and access control systems are computers that monitor and control building operations such as elevators, electrical power, and heating, ventilation, and air conditioning.

GAO, Federal Facility Cybersecurity: DHS and GSA Should Address Cyber Risk to Building and Access Control Systems, GAO‑15‑6 (Washington D.C.: Dec. 12, 2014).

[15] GAO, Maritime Critical Infrastructure Protection: DHS Needs to Better Address Port Cybersecurity, GAO‑14‑459 (Washington, D.C.: June 5, 2014).

[16] GAO,Critical Infrastructure Protection: More Comprehensive Planning Would Enhance the Cybersecurity of Public Safety Entities’ Emerging Technology, GAO‑14‑125 (Washington, D.C.: Jan. 28, 2014).

[17] GAO, Communications Networks: Outcome-Based Measures Would Assist DHS in Assessing Effectiveness of Cybersecurity Efforts, GAO‑13‑275 (Washington, D.C.: Apr. 3, 2013).

[18] GAO, Information Security: Agencies Need to Improve Oversight of Contractor Controls, GAO‑14‑612 (Washington, D.C.: Aug. 8, 2014).

[19] GAO,Information Security: Agencies Need to Improve Cyber Incident Response Practices, GAO‑14‑354 (Washington, D.C.: Apr. 30, 2014).

[20] GAO, Information Security: Additional Oversight Needed to Improve Programs as Small Agencies, GAO‑14‑344 (Washington, D.C.: June 25, 2014).

[21] GAO, Privacy: Federal Law Should Be Updated to Address Changing Technology Landscape, GAO‑12‑961T (Washington, D.C.: July 31, 2012).

[22] GAO, Healthcare.Gov: Actions Needed to Address Weaknesses in Information Security and Privacy Controls, GAO‑14‑730 (Washington, D.C. Sept. 16, 2014).

[23] GAO, Information Security: Additional Oversight Needed to Improve Programs at Small Agencies, GAO‑14‑344 (Washington, D.C.: June 25, 2014).

[24] GAO, Computer Matching Act: OMB and Selected Agencies Need to Ensure Consistent Implementation, GAO‑14‑44 (Washington, D.C.: Jan.13, 2014).

[25] GAO,Information Security: Agency Responses to Breaches of Personally Identifiable Information Need to Be More Consistent, GAO‑14‑34 (Washington, D.C.: Dec. 9, 2013).

[26] GAO, Mobile Device Location Data: Additional Federal Actions Could Help Protect Consumer Privacy, GAO‑12‑903, (Washington, D.C.: Sept. 11, 2012).

[27] GAO, Information Resellers: Consumer Privacy Framework Needs to Reflect Changes in Technology and the Marketplace, GAO‑13‑663 (Washington, D.C.: Sept. 25, 2013).

The administration needs to prepare an overarching cybersecurity strategy that includes all desirable characteristics of a national strategy, including milestones and performance measures; cost, sources, and justification for needed resources; specific roles and responsibilities of federal organizations; guidance, where appropriate, regarding how this strategy relates to priorities, goals, and objectives stated in other national strategy documents; and then demonstrate progress in implementing the strategies and achieving measureable and appropriate outcomes. The strategy should include a roadmap for making significant improvements in cybersecurity challenge areas listed above and better ensure that federal departments and agencies are held accountable for making significant improvements in those cybersecurity challenge areas.

In addition, DHS, for its role in overseeing agencies’ cybersecurity, should expand CyberStat reviews to all major agencies and continue to enhance the FISMA performance metrics. Executive branch agencies, in particular DHS, also need to continue to enhance their cyber analytical and technical capabilities (including capabilities to address federal cross-agency priorities), expand oversight of federal agencies’ implementation of information security, and demonstrate progress in strengthening the effectiveness of public-private sector partnerships in securing cyber critical infrastructures.

Agencies also need to (1) develop and implement remedial action plans for resolving known security deficiencies in government systems; (2) fully develop and effectively implement agencywide information security programs, as required by FISMA; (3) demonstrate measurable, sustained progress in improving security over federal systems; (4) fully develop and implement capabilities for continuously diagnosing and mitigating cyber threats and vulnerabilities; (5) improve their response to information security incidents and data breaches involving PII; and (6) consistently develop and implement privacy policies and procedures.[1] Such progress should include having the government-wide material weakness in information security upgraded to a significant deficiency for two consecutive years and reducing the factors that contribute to the significant deficiency, as we reported in our annual audit of the financial statements for the United States government.

Until the White House and executive branch agencies implement the hundreds of recommendations that we and agency inspectors general have made to address cyber challenges, resolve identified deficiencies, and fully implement effective security programs and privacy practices, a broad array of federal assets and operations may remain at risk of fraud, misuse, and disruption, and the nation’s most critical federal and private sector infrastructure systems will remain at increased risk of attack from adversaries.

In addition to the recently passed laws addressing cybersecurity and the protection of critical infrastructures, Congress should also consider amending applicable laws, such as the Privacy Act and E-Government Act, to more fully protect PII collected, used, and maintained by the federal government.

[1] FISMA 2014.

Looking for our recommendations? Click on any report to find each associated recommendation and its current implementation status.
  • portrait of Gregory C. Wilshusen
    • Gregory C. Wilshusen
    • Director, Information Security Issues
    • (202) 512-6244