Reports & Testimonies

  • GAO’s recommendations database contains report recommendations that still need to be addressed.

    GAO’s recommendations help congressional and agency leaders prepare for appropriations and oversight activities, as well as help improve government operations. Recommendations remain open until they are designated as Closed-implemented or Closed-not implemented. You can explore open recommendations by searching or browsing.

    GAO's priority recommendations are those that we believe warrant priority attention. We sent letters to the heads of key departments and agencies, urging them to continue focusing on these issues. These recommendations are labeled as such. You can find priority recommendations by searching or browsing our open recommendations below, or through our mobile app.

  • Browse Open Recommendations

    Explore priority recommendations by subject terms or browse by federal agency

    Search Open Recommendations

    Search for a specific priority recommendation by word or phrase



  • Governing on the go?

    Our Priorities for Policy Makers app makes it easier for leaders to search our recommendations on the go.

    See the November 10th Press Release


  • Have a Question about a Recommendation?

    • For questions about a specific recommendation, contact the person or office listed with the recommendation.
    • For general information about recommendations, contact GAO's Audit Policy and Quality Assurance office at (202) 512-6100 or apqa@gao.gov.
  • « Back to Results List Sort by   

    Results:

    Subject Term: "Security vulnerabilities"

    4 publications with a total of 16 open recommendations
    Director: Seto J. Bagdoyan
    Phone: (202) 512-6722

    4 open recommendations
    Recommendation: The NIST Director should incorporate elements of key practices into the implementation of the Security Sprint action plans, by establishing a comprehensive communication strategy for employees; interim milestone dates; and measures to assess effectiveness. (Recommendation 1)

    Agency: Department of Commerce: National Institute of Standards and Technology
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Director of the Office of Security (OSY), in coordination with the NIST Director, should conduct an evaluation of the effectiveness of the current security management structure as compared to a consolidated security structure, centrally managed by OSY, to identify the most effective and feasible approach to physical security at NIST. (Recommendation 2)

    Agency: Department of Commerce: Office of Security
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Director of OSY should ensure that the draft Commerce risk management policy is finalized and implemented in accordance with the ISC's RMP Standard, by requiring the following: (1) Use and documentation of a sound risk assessment methodology that assesses the threats, vulnerabilities, and consequences for each of the undesirable events required by the RMP Standard, and use of these three factors to measure risk. (2) Documentation of key risk management decisions, such as justification and tenants' approval for facility security level (FSL) determinations, justification for deviation from baseline levels of risk or protection, as well as risk acceptance and consideration of alternative countermeasures. (3) Establishment of a facility security committee (FSC) at multitenant facilities and campuses, including locations such as the NIST Boulder campus. (4) ISC training for all OSY assessors and the individuals responsible for deciding to implement countermeasures and accepting risk. (Recommendation 3)

    Agency: Department of Commerce: Office of Security
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The NIST Director should finalize and implement risk management policies and procedures, ensuring that they contain a formal coordination mechanism between OSY and NIST and are aligned with Commerce's revised risk management policy, particularly with regard to establishing FSCs. (Recommendation 4)

    Agency: Department of Commerce: National Institute of Standards and Technology
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Gregory C. Wilshusen
    Phone: (202) 512-6244

    9 open recommendations
    Recommendation: The Secretary of Homeland Security should direct Network Security Deployment (NSD) to determine the feasibility of enhancing NCPS's current intrusion detection approach to include functionality that would detect deviations from normal network behavior baselines.

    Agency: Department of Homeland Security
    Status: Open

    Comments: April 2017 Update: In Feb. 2017, DHS officials stated that they have continued pilot activities that will enable DHS to identify suspicious network activity based on anomalous behavior and reputation and have collected lessons learned that are being tracked by the NCPS Program Management Office. Officials added that DHS had identified a contractor to support the transition of the pilot, including drafting an implementation plan; however, it had yet to award a contract due to lack of resources. As such, the agency did not have an estimated date on the completion of a draft plan for how the transition would be implemented. We requested that DHS provide a copy of the draft implementation plan for our review, when it became available. We will continue to monitor DHS's progress in addressing this recommendation.
    Recommendation: The Secretary of Homeland Security should direct NSD to determine the feasibility of developing enhancements to current intrusion detection capabilities to facilitate the scanning of traffic not currently scanned by NCPS.

    Agency: Department of Homeland Security
    Status: Open

    Comments: April 2017 update: In Feb. 2017, DHS officials stated that the NCPS Program Management Office is working with participating Internet Service Providers (ISP) to develop plans to support IPv6 for Traffic Aggregation, DNS redirection, and SMTP quarantining capabilities. Officials stated that an implementation plan that would include all ISP schedules for all planned intrusion prevention services would be available in the third quarter of fiscal year 2017. Additionally, regarding encrypted traffic, officials stated that it is conducting an analysis of Security on Encrypted Traffic (SonET) to better understand options for addressing the challenges, viability of options, and how the issue is being addressed at a broader industry level. The study is scheduled to continue through the fourth quarter of fiscal year 2017. We asked DHS to provide the ISP implementation plans (when finalized) and any findings from the ongoing SCADA and Encrypted traffic studies. We will continue to monitor DHS's progress in addressing this recommendation.
    Recommendation: The Secretary of Homeland Security should direct United States Computer Emergency Readiness Team (US-CERT) to update the tool it uses to manage and deploy intrusion detection signatures to include the ability to more clearly link signatures to publicly available, open-source data repositories.

    Agency: Department of Homeland Security
    Status: Open

    Comments: April 2017 update: In Feb. 2017, DHS stated that the NCPS PMO is working with participating Internet Service Providers (ISP) to develop plans to support IPv6 for Traffic Aggregation, DNS redirection, and SMTP quarantining capabilities. Officials stated that an implementation plan that would include all ISP schedules for all planned intrusion prevention services would be available in the third quarter of fiscal year 17. Additionally, officials stated that NSD is conducting an analysis on Security on Encrypted Traffic (SonET) to better understand options for addressing the challenges, viability of options, how the issue is being addressed at a broader industry level. The study will continue through the fourth quarter of fiscal year 2017. We asked DHS to provide the ISP implementation plans (when finalized) and any output/results (findings) from the ongoing studies DHS has related to SCADA and Encrypted traffic. We will continue to monitor DHS's progress in addressing this recommendation.
    Recommendation: The Secretary of Homeland Security should direct US-CERT to consider the viability of using vulnerability information, such as data from the Continuous Diagnostics and Mitigation program as it becomes available, as an input into the development and management of intrusion detection signatures.

    Agency: Department of Homeland Security
    Status: Open

    Comments: April 2017 update: In Feb. 2017, DHS officials stated that enhancements were made so that Continuous Diagnostics and Mitigation program (CDM) data can be viewed with the Cyber Indicators Analysis Program (CIAP). Officials stated that the CDM data now may be combined with known vulnerability findings from NCATS and known threats collected from the CIAP system to further prioritize signature development as necessary. We have requested a meeting with DHS to observe the described enhancements. We believe that we will be able to close this recommendation, once we observe the claimed enhancements.
    Recommendation: The Secretary of Homeland Security should direct US-CERT to develop a timetable for finalizing the incident notification process, to ensure that customer agencies are being sent notifications of potential incidents, which clearly solicit feedback on the usefulness and timeliness of the notification.

    Agency: Department of Homeland Security
    Status: Open

    Comments: April 2017 Update: In Feb. 2017, DHS stated that US-CERT is in the process of developing a targeted survey of EINSTEIN customers (based off of a prior survey). Additionally, US-CERT has updated the Incident Reporting Guidelines to address previously mentioned process concerns. We have requested a copy of these guidelines and will review the modifications made within. Additionally, DHS stated that modifications to the Remedy ticketing system are underway that would allow for the inclusion of user feedback. These changes are anticipated to be implemented by October 2017. We likely would not be able to close this recommendation until we could review the results of the modifications.
    Recommendation: The Secretary of Homeland Security should direct the Office of Cybersecurity and Communications to develop metrics that clearly measure the effectiveness of NCPS's efforts, including the quality, efficiency, and accuracy of supporting actions related to detecting and preventing intrusions, providing analytic services, and sharing cyber-related information.

    Agency: Department of Homeland Security
    Status: Open

    Comments: April 2017 update: In Feb. 2017, DHS officials stated that the Office of Cyber Security and Communications (CS&C) had developed, refined, and were baselining a first set of measures that relate to the Einstein 3A program. Further, they are considering adding one of these measures as an addition to the measures tracked in support of the yearly Government Performance and Results Act (GPRA) required reporting in FY 2018. Additionally, DHS officials stated they are developing information sharing related measures, including exploring how its public and private sector recipients of information measure the value cyber threat indicators and defensive measures. In March 2017, we requested a copy of the developed measures, when they became available. This recommendation will remain open until we are able to review the developed metrics and the subsequent data they are to measure.
    Recommendation: The Secretary of Homeland Security should direct the Office of Cybersecurity and Communications to develop clearly defined requirements for detecting threats on agency internal networks and at cloud service providers to help better ensure effective support of information security activities.

    Agency: Department of Homeland Security
    Status: Open

    Comments: April 2017 update: In Feb. 2017, DHS provided memos that gave an overview of the planned enhancements to the Continuous Diagnostics and Mitigation (CDM) program that included references to cloud providers. However, DHS did not provide any specific requirements for us to review. We have requested a follow-up meeting to review the specific requirements developed in support of the planned enhancements described in the provided memos. We will not be able to close this recommendation until we can review the developed requirements and determine that cloud providers are appropriately covered.
    Recommendation: The Secretary of Homeland Security should direct NSD to develop processes and procedures for using vulnerability information, such as data from the Continuous Diagnostics and Mitigation program as it becomes available, to help ensure DHS is using a risk-based approach for the selection/development of future NCPS intrusion prevention capabilities.

    Agency: Department of Homeland Security
    Status: Open

    Comments: April 2017 update: In Feb. 2017, DHS stated that the NCPS Program Management Office has made enhancements to the Continuous Diagnostics and Mitigation (CDM) dashboard, but had yet to fully develop the CDM/NCPS data correlation. In March 2017, we asked for update on the status of data correlation, once available. In order to close this recommendation, we would need to review this model and determine how, if at all, the vulnerability information was used as part of a risk-based approach to intrusion prevention.
    Recommendation: The Secretary of Homeland Security should direct NSD to work with their customer agencies and the Internet service providers to document secure routing requirements in order to better ensure the complete, safe, and effective routing of information to NCPS sensors.

    Agency: Department of Homeland Security
    Status: Open

    Comments: April 2017 update: In Feb. 2017, DHS officials stated that the agency worked with the Office of Management and Budget to develop a draft Trusted Internet Connections Reference Architecture. This architecture is to serve as the new guidance for agencies on perimeter security capabilities as well as alternative routing strategies. In March 2017, we requested a copy of the guidance to review the alternative routing guidance. This recommendation will remain open until we have been able to review the information above.
    Director: Chris Currie
    Phone: (404) 679-1875

    2 open recommendations
    Recommendation: To ensure the accuracy of the data submitted by chemical facilities, the Secretary of Homeland Security should direct the Under Secretary for NPPD, the Assistant Secretary for the Office of Infrastructure Protection, and the Director of ISCD, in the interim, to identify potentially miscategorized facilities with the potential to cause the greatest harm and verify the Distance of Concern these facilities report is accurate.

    Agency: Department of Homeland Security
    Status: Open

    Comments: According to Infrastructure Security Compliance Division (ISCD) officials, as of November 2016 ISCD completed its assessment of all Top-Screens which reported threshold quantities of release-toxic chemicals of interest and identified 158 facilities with the potential to cause the greatest harm. ISCD contacted all 158 facilities and received revised Top-Screens from 101, according to ISCD officials. ISCD halted pursuit of revised Top-Screens from the remaining facilities during summer 2016 in anticipation of the pending release of CSAT 2.0, the Top-Screen application, which both eliminates the Distance of Concern question and will result in all remaining facilities being required to submit a new Top-Screen upon the activation of CSAT 2.0. CSAT 2.0 was activated October 1, 2016, and DHS sent a letter to each of the remaining facilities informing them of their obligation to submit a new top-screen, according to ISCD officials. ISCD is continuing to monitor the resolution of the remaining cases and expects to have assessed updated Top-Screens for all of them within the first or second quarter of 2017. We will update the status of this recommendation after additional information is received from DHS.
    Recommendation: In addition, to better manage compliance among high-risk chemical facilities and demonstrate program results, the Secretary of Homeland Security should direct the Under Secretary for NPPD, the Assistant Secretary for the Office of Infrastructure Protection, and the Director of ISCD to develop documented processes and procedures to track noncompliant facilities and ensure they implement planned measures as outlined in their approved site security plans.

    Agency: Department of Homeland Security
    Status: Open

    Comments: According to Infrastructure Security Compliance Division (ISCD) officials, ISCD is nearing finalization of the updated CFATS Inspection Standard Operating Procedure (SOP) and has made progress on the new CFATS Enforcement SOP. Once completed, expected in mid-2017, these two documents collectively will formally document the processes and procedures currently being used to track noncompliant facilities and ensure they implement planned measures as outlined in their approved site security plans, according to ISCD officials. We will update the status of this recommendation after additional information is received from DHS.
    Director: Wilshusen, Gregory C
    Phone: (202) 512-6244

    1 open recommendations
    Recommendation: To help mitigate vulnerabilities in mobile devices, the Chairman of the Federal Communications Commission should monitor progress of wireless carriers and device manufacturers in achieving their milestones and time frames once an industry baseline of mobile security safeguards has been implemented.

    Agency: Federal Communications Commission
    Status: Open

    Comments: FCC plans on monitoring the progress of wireless carriers and device manufacturers in achieving their milestones and time frames through one-on-one cyber risk management assurance meetings with service providers. FCC stated that it anticipates the meetings will begin within the next year pending the Commission's adoption of the policy statement for conducting the recommended meetings. We will validate these actions in the coming year.