This is the accessible text file for GAO report number GAO-14-487T entitled 'Information Security: Federal Agencies Need to Enhance Responses to Data Breaches' which was released on April 2, 2014. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. United States Government Accountability Office: GAO: Testimony: Before the Committee on Homeland Security and Governmental Affairs, U.S. Senate: For Release on Delivery: Expected at 10:00 a.m. EDT: Wednesday, April 2, 2014: Information Security: Federal Agencies Need to Enhance Responses to Data Breaches: Statement of Gregory C. Wilshusen, Director: Information Security Issues: GAO-14-487T: United States Government Accountability Office: GAO Highlights: Highlights of GAO-14-487T, a testimony before the Committee on Homeland Security and Governmental Affairs, U.S. Senate. Why GAO Did This Study: The federal government collects large amounts of PII from the public, including taxpayer data, Social Security information, and patient health information. It is critical that federal agencies ensure that this information is adequately protected from data breaches, and that they respond swiftly and appropriately when breaches occur. Since 1997, GAO has designated information security as a government-wide high-risk area. Further, data breaches at federal agencies have raised concerns about the protection of PII. Federal laws and other guidance specify the responsibilities of agencies in securing their information and information systems and in responding to data breaches. This testimony addresses federal agencies' efforts to secure their information and respond to data breaches. In preparing this statement, GAO relied primarily on previously published and ongoing work in this area. What GAO Found: The number of reported information security incidents involving personally identifiable information (PII) has more than doubled over the last several years (see figure). Figure: Information Security Incidents Involving PII, Fiscal Years 2009–2013: [Refer to PDF for image: vertical bar graph] Fiscal year: 2009; Number of reported incidents: 10,481. Fiscal year: 2010; Number of reported incidents: 13,028. Fiscal year: 2011; Number of reported incidents: 15,584. Fiscal year: 2012; Number of reported incidents: 22,156. Fiscal year: 2013; Number of reported incidents: 26,566. Source: GAO analysis of US-CERT data for fiscal years 2009-2013. [End of figure] As GAO has previously reported, major federal agencies continue to face challenges in fully implementing all components of an agency-wide information security program, which is essential for securing agency systems and the information they contain—including PII. Specifically, agencies have had mixed results in addressing the eight components of an information security program called for by law, and most agencies had weaknesses in implementing specific security controls. GAO and inspectors general have continued to make recommendations to strengthen agency policies and practices. In December 2013, GAO reported on agencies' responses to PII data breaches and found that they were inconsistent and needed improvement. Although selected agencies had generally developed breach-response policies and procedures, their implementation of key practices called for by Office of Management and Budget (OMB) and National Institute of Standards and Technology guidance was inconsistent. For example, * only one of seven agencies reviewed had documented both an assigned risk level and how that level was determined for PII data breaches; two agencies documented the number of affected individuals for each incident; and two agencies notified affected individuals for all high- risk breaches. * the seven agencies did not consistently offer credit monitoring to affected individuals; and; * none of the seven agencies consistently documented lessons learned from their breach responses. Incomplete guidance from OMB contributed to this inconsistent implementation. For example, OMB's guidance does not make clear how agencies should use risk levels to determine whether affected individuals should be notified. In addition, the nature and timing of reporting requirements may be too stringent. What GAO Recommends: In its December 2013 report, GAO made 22 recommendations to the agencies included in its review aimed at improving their data breach response activities. GAO also recommended that OMB update its guidance on federal agencies' responses to PII-related data breaches. Agency responses to GAO's recommendations varied. View [hyperlink, http://www.gao.gov/products/GAO-14-487T]. For more information, contact Gregory C. Wilshusen at (202) 512-6244 or wilshuseng@gao.gov. [End of section] Chairman Carper, Ranking Member Dr. Coburn, and Members of the Committee: Thank you for inviting me to testify today on efforts to protect individuals' personally identifiable information (PII)[Footnote 1] from data breaches and to notify victims when a data breach has occurred. As you know, in carrying out its responsibilities the federal government collects large quantities of PII, such as taxpayer data, census data, Social Security information, and patient health information, on American citizens and other residents of our nation. Consequently, it is critical that federal agencies take steps to secure the information they collect, retain, and disseminate and that, when events such as data breaches[Footnote 2] occur, they respond swiftly and appropriately. We first identified the protection of federal information systems as a government-wide high-risk area in 1997 and continued to do so in the most recent update to our high-risk series.[Footnote 3] My testimony today will discuss federal agencies' efforts to secure their information--including PII--and systems, and their responses when incidents involving PII occur. In preparing this testimony we relied on previously published work in these areas, as well as the preliminary results from a study whose results will be published later this spring. All the work supporting this statement was conducted in accordance with generally accepted government auditing standards. Those standards require that we plan and perform audits to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings based on our audit objectives. Background: Data breaches involving PII can occur under many circumstances and for many reasons. They can be inadvertent, such as from the loss of an electronic device, or deliberate, such as from the theft of a device or a cyber-based attack by a malicious individual or group, foreign nation, terrorist, or other adversary. Incidents have been reported at a wide range of public-and private-sector institutions, including federal, state, and local government agencies; educational institutions; hospitals and other medical facilities; financial institutions; information resellers; retailers; and other types of businesses. The loss or unauthorized disclosure or alteration of the information residing on federal systems, which can include PII, can lead to serious consequences and substantial harm to individuals and the nation. Thus it is critical that federal agencies protect their systems and the information on them and respond to data breaches and cyber incidents when they occur. Information Security Incidents Have Increased: Over the last several years, federal agencies have reported an increasing number of information security incidents to the U.S. Computer Emergency Readiness Team (US-CERT). These include both cyber- and non-cyber-related incidents, and many of them involved PII. Figure 1 shows that the total number of security incidents reported annually more than doubled from fiscal year 2009 to fiscal year 2013. Figure 1: Information Security Incidents Reported to US-CERT by All Federal Agencies, Fiscal Years 2009-2013: [Refer to PDF for image: vertical bar graph] Fiscal year: 2009; Number of reported incidents: 29,999. Fiscal year: 2010; Number of reported incidents: 41,776. Fiscal year: 2011; Number of reported incidents: 42,854. Fiscal year: 2012; Number of reported incidents: 48,562. Fiscal year: 2013; Number of reported incidents: 61,214. Source: GAO analysis of US-CERT data for fiscal years 2009-2013. [End of figure] These incidents are categorized by type. Figure 2 shows the categories into which incidents reported in fiscal year 2013 fell. Figure 2: Information Security Incidents by Category, Fiscal Year 2013: [Refer to PDF for image: pie-chart] Noncyber: 25%; Policy violation: 19%; Malicious code (malware): 16%; Equipment: 16%; Social engineering: 6%; Suspicious network activity: 5%; Phishing: 3%; Improper usage: 2%; Unauthorized access: 1%; Denial of service: 1%; Other: 7%. Source: GAO analysis of US-CERT data for fiscal year 2013. [End of figure] Moreover, a significant number of security incidents reported by agencies have involved PII.[Footnote 4] Figure 3 shows that the number of incidents involving PII for fiscal years 2009 through 2013 increased over 140 percent. Figure 3: Incidents Involving PII, Fiscal Years 2009-2013: [Refer to PDF for image: vertical bar graph] Fiscal year: 2009; Number of reported incidents: 10,481. Fiscal year: 2010; Number of reported incidents: 13,028. Fiscal year: 2011; Number of reported incidents: 15,584. Fiscal year: 2012; Number of reported incidents: 22,156. Fiscal year: 2013; Number of reported incidents: 26,566. Source: GAO analysis of US-CERT data for fiscal years 2009-2013. [End of figure] Data breaches at federal agencies have received considerable publicity and raised concerns about the protection of PII at those agencies. Most notably, in May 2006, the Department of Veterans Affairs (VA) reported that computer equipment containing PII on about 26.5 million veterans and active duty members of the military was stolen from the home of a VA employee. More recent examples of incidents that compromised individuals' personal information further highlight the impact that such incidents can have: * In July 2013, hackers stole a variety of PII on more than 104,000 individuals from a Department of Energy system. Types of data stolen included Social Security numbers, birth dates and locations, bank account numbers and security questions and answers. According to the department's Inspector General, the combined costs of assisting affected individuals and lost productivity--due to federal employees being granted administrative leave to correct issues stemming from the breach--could be more than $3.7 million.[Footnote 5] * In May 2012, the Federal Retirement Thrift Investment Board (FRTIB) reported a sophisticated cyber attack on the computer of a contractor that provided services to the Thrift Savings Plan. As a result of the attack, PII associated with approximately 123,000 plan participants was accessed. According to FRTIB, the information included 43,587 individuals' names, addresses, and Social Security numbers, and 79,614 individuals' Social Security numbers and other PII-related information. * In March 2012, a laptop computer containing sensitive PII was stolen from a National Aeronautics and Space Administration employee at the Kennedy Space Center. As a result, 2,300 employees' names, Social Security numbers, dates of birth, and other personal information were exposed. * In February 2009, the Federal Aviation Administration notified employees that an agency computer had been illegally accessed and that employee PII had been stolen electronically. Two of the 48 files on the breached computer server contained personal information about more than 45,000 agency employees and retirees. Federal Laws and Policies Establish Agency Information Security Responsibilities: Title III of the E-Government Act of 2002, known as the Federal Information Security Management Act (FISMA), establishes a framework designed to ensure the effectiveness of security controls over information resources that support federal operations and assets. According to FISMA, each agency is responsible for, among other things, providing information security protections commensurate with the risk and magnitude resulting from unauthorized access, use, disclosure, disruption, modification, or destruction of information collected or maintained by or on behalf of the agency and information systems used or operated by an agency or by a contractor or other organization on behalf of an agency. These protections are to provide federal information and systems with integrity--preventing improper modification or destruction of information; confidentiality-- preserving authorized restrictions on access and disclosure; and availability--ensuring timely and reliable access to and use of information. Under FISMA, agencies are required to develop procedures for detecting, reporting, and responding to security incidents, consistent with federal standards and guidelines, including mitigating risks associated with such incidents before substantial damage is done. The law also requires the operation of a central federal information security incident center that compiles and analyzes information about incidents that threaten information security. The Department of Homeland Security (DHS) was given the role of operating this center, which became US-CERT, by the Homeland Security Act. DHS's role is further defined by Office of Management and Budget (OMB) guidance, which requires that incidents involving PII be reported to US-CERT within 1 hour of discovery. US-CERT is also responsible for providing timely technical assistance to operators of agency information systems regarding security incidents, including offering guidance on detecting and handling incidents. In addition to establishing responsibilities for agencies, FISMA assigns specific responsibilities to OMB, the National Institute of Standards and Technology (NIST) and inspectors general: * OMB is to develop and oversee the implementation of policies, principles, standards, and guidelines on information security in federal agencies (except with regard to national security systems). It is also responsible for reviewing, at least annually, and approving or disapproving agency information security programs. * NIST's responsibilities include developing security standards and guidelines for agencies that include standards for categorizing information and information systems according to ranges of risk levels, minimum security requirements for information and information systems in risk categories, guidelines for detection and handling of information security incidents, and guidelines for identifying an information system as a national security system. * Agency inspectors general are required to annually evaluate the information security program and practices of their agency. The results of these evaluations are to be submitted to OMB, and OMB is to summarize the results in its reporting to Congress. In July 2010, the Director of OMB and the White House Cybersecurity Coordinator issued a joint memorandum stating that DHS was to exercise primary responsibility within the executive branch for the operational aspects of cybersecurity for federal information systems that fall within the scope of FISMA. Agencies Continue to Face Challenges in Effectively Securing Their Information: In September 2013 we issued the most recent of our periodic reports on federal agencies' compliance with the requirements of FISMA.[Footnote 6] Specifically, we reported that, for fiscal year 2012, 24 major federal departments and agencies covered by the Chief Financial Officers Act[Footnote 7] had established many of the components of an agency-wide information security program, as required by FISMA, but had only partially established others. In particular, with regard to the eight components of an agency-wide security program, * 18 agencies had fully implemented a program for managing information security risk, and 6 had partially implemented such a program; * 10 agencies had fully documented security policies and procedures, while 12 had partially documented them;[Footnote 8] * 18 agencies had selected security controls for their systems, but 6 had only partially implemented this practice; * 22 agencies had established a security training program, and 2 had partially established such a program; * 13 agencies were monitoring security controls on an ongoing basis, but 10 agencies had not fully implemented a continuous monitoring program;[Footnote 9] * 19 agencies had established a program for remediating weaknesses in their security policies, practices, and procedures, while 5 had not fully implemented elements of a remediation program; * 20 agencies had established an incident response and reporting program, but 3 agencies had not fully established such a program; [Footnote 10] and: * 18 agencies had fully established a program for ensuring continuity of operations in the event of a disruption or disaster, but 5 agencies partially implemented a continuity of operations program.[Footnote 11] The extent to which the agencies had implemented security program components showed mixed progress from fiscal year 2011 to fiscal year 2012. For example, according to inspectors general reports, the number of agencies that had analyzed, validated, and documented security incidents increased from 16 to 19, while the number able to track identified weaknesses had declined from 20 to 15. In addition, although most agencies had implemented elements of their security programs, we and inspectors general continued to identify weaknesses in elements of their programs, such as the implementation of specific security controls. Specifically, most major federal agencies had weaknesses in major categories of information security controls, as defined by our Federal Information System Controls Audit Manual.[Footnote 12] Table 1 shows, for fiscal year 2012, the number of the 24 major federal agencies that had weaknesses in the five major control categories. Table 1: Information Security Control Weaknesses at 24 Major Agencies in Fiscal Year 2012: Control category: Security management; Number of agencies with weaknesses: 24. Control category: Access controls; Number of agencies with weaknesses: 23. Control category: Configuration management; Number of agencies with weaknesses: 24. Control category: Segregation of duties; Number of agencies with weaknesses: 18. Control category: Contingency planning; Number of agencies with weaknesses: 24. Source: GAO analysis of agency inspector general data. Note: Security management includes an agency-wide information security program to provide the framework for ensuring that risks are understood and that effective controls are selected and properly implemented; access controls ensure that only authorized individuals can read, alter, or delete data; configuration management controls provide assurance that only authorized software programs are implemented; segregation of duties reduces the risk that one individual can independently perform inappropriate actions without detection; and contingency planning includes continuity of operations, which provides for the prevention of significant disruptions of computer-dependent operations. [End of table] Illustrating the extent to which weaknesses continue to affect the 24 major federal agencies, in fiscal year 2013, inspectors general at 21 of the 24 agencies cited information security as a major management challenge for their agency, and 18 agencies reported that information security control deficiencies were either a material weakness or significant deficiency[Footnote 13] in internal controls over financial reporting in fiscal year 2013. These weaknesses show that information security continues to be a major challenge for federal agencies, putting federal systems and the information they contain, including PII, at increased risk. We and agency inspectors general have continued to make numerous recommendations to agencies aimed at improving their information security posture. Fully implementing these recommendations will strengthen agencies' ability to ensure that their information, including PII, is adequately protected. Agencies Need to Improve Responses to Data Breaches and Cyber Incidents: Even when information security programs have been implemented effectively, data breaches can occur. Accordingly, OMB and NIST have specified key practices for responding to PII data breaches.[Footnote 14] These include management practices such as establishing a data breach response team and training employees on roles and responsibilities for breach response, and operational practices, such as preparing reports on suspected data breaches and submitting them to appropriate internal and external entities, assessing the likely risk of harm and level of impact of a suspected breach, offering assistance to affected individuals (if appropriate), and analyzing the agency's breach response and identifying lessons learned. Table 2 provides more details on these key management and operational practices. Table 2: Key Management and Operational Practices to Be Included in Policies for Responding to Data Breaches Involving Personally Identifiable Information (PII): Key management practice: Establish a data breach response team; Description: While technical remediation is usually handled by IT security staff, agencies should create a team to oversee responses to a suspected or confirmed data breach, including the program manager of the program experiencing the breach, chief information officer, chief privacy officer or senior agency official for privacy, communications office, legislative affairs office, general counsel, and the management office which includes budget and procurement functions. Key management practice: Train employees on roles and responsibilities for breach response; Description: Agencies should train employees on their data breach response plan and their roles and responsibilities should a breach occur. Specifically, OMB requires agencies to initially train employees on their privacy and security responsibilities before permitting access to agency information and information systems and thereafter provide at least annual refresher training to ensure employees continue to understand their responsibilities. Key operational practice: Prepare reports on suspected data breaches and submit them to appropriate internal and external entities; Description: Agencies should establish procedures for promptly reporting a suspected or confirmed breach to the appropriate internal management entities and external oversight entities. For example, the breach response team should be notified about all suspected or confirmed breaches. Further, agencies must report all incidents involving PII to US-CERT within 1 hour of discovering the suspected or confirmed incident. Key operational practice: Assess the likely risk of harm and level of impact of a suspected data breach in order to determine whether notification to affected individuals is needed; Description: In addition to any immediate remedial actions they may take, agencies should assess a suspected or confirmed breach to determine if there is a likely risk of harm and the level of impact, if applicable. OMB outlined five factors that should be considered in assessing the likely risk of harm: (1) nature of the data elements breached, (2) number of individuals affected, (3) likelihood the information is accessible and usable, (4) likelihood the breach may lead to harm, and (5) ability of the agency to mitigate the risk of harm. Once a risk level is determined, agencies should use this information to determine whether notification to affected individuals is needed and, if so, what methods should be used. OMB instructed agencies to be mindful that notification when there is little or no risk of harm might create unnecessary concern and confusion. It also stated that while the magnitude of the number of affected individuals may dictate the method chosen for providing notification, it should not be the determining factor for whether an agency should provide notification. Key operational practice: Offer assistance to affected individuals (if appropriate); Description: Agencies should have procedures in place to determine whether services such as credit monitoring should be offered to affected individuals to mitigate the likely risk of harm. OMB instructed agencies that, while assessing the level of risk in a given situation, they should simultaneously consider options for attenuating that risk. Key operational practice: Analyze breach response and identify lessons learned; Description: Agencies should review and evaluate their responses to a data breach, including any remedial actions that were taken, and identify lessons learned, which should be incorporated into agency security and privacy policies and practices as necessary. NIST recommended holding a "lessons learned" meeting with all involved parties after a major incident and periodically after lesser incidents, as resources permit, to assist in handling similar incidents and improving security measures. Source: GAO analysis of OMB and NIST guidance. [End of table] In December 2013, we reported on our review of issues related to PII data breaches.[Footnote 15] The eight agencies in our review[Footnote 16] had generally developed, but inconsistently implemented, policies and procedures for responding to a data breach involving PII that addressed key practices. Specifically, with few exceptions, the agencies reviewed addressed the key management and operational practices in their policies and procedures. However, they did not consistently implement the operational practices, as summarized in figure 4. Figure 4: Operational Steps in Data Breach Response Practices: [Refer to PDF for image: illustration] 1. Prepare reports and submit them to appropriate entities. 2. Assess the likely risk of harm and level of impact of a suspected data breach in order to determine whether notification to affected individuals is needed. 3. Offer assistance to affected individuals (if appropriate). 4. Analyze breach response and identify lessons learned. Source: GAO analysis of OMB and NIST guidelines. [End of figure] For example, * Of the seven agencies[Footnote 17] we reviewed, only the Internal Revenue Service (IRS) consistently documented both an assigned risk level and how that level was determined for PII-related data breach incidents; only the Army and IRS documented the number of affected individuals for each incident; and only the Army and the Securities and Exchange Commission notified affected individuals for all high- risk breaches. * The seven agencies did not consistently offer credit monitoring to individuals affected by PII-related breaches. * None of the seven agencies consistently documented lessons learned from PII breaches, including corrective actions to prevent similar incidents in the future or whether better security controls could help detect, analyze, and mitigate future incidents. Incomplete guidance from OMB contributed to this inconsistent implementation. For example, OMB's guidance does not make clear how agencies should use risk levels in making a determination about notification to affected individuals. Further, OMB guidance states that the risk levels should help determine when and how notification should be provided, but it does not set specific requirements for notification based on agency risk determinations. In addition, OMB guidance for reporting on data breaches involving PII may be too stringent. Specifically, OMB guidance requires that DHS collect information about PII-related breaches within 1 hour, but officials at US-CERT and the agencies in our review generally agreed that this requirement was difficult to meet and may not provide US- CERT with the best information. For example, some agencies noted that it is difficult to provide a meaningful report on a breach within 1 hour since relevant information--such as how much PII was affected or the extent of the risk--may not be available within that time frame. Agency officials also questioned the value of reporting certain types of PII breaches, such as paper-based incidents or incidents involving the loss of hardware containing encrypted PII, individually to US- CERT, as currently required. Officials from US-CERT agreed that their office should not be receiving all PII-related incident reports individually as they occur. According to DHS officials, the PII-related incident data they collect are not generally used to help remediate incidents or provide technical assistance to agencies. Rather, the information is compiled in accordance with certain FISMA requirements and reported to OMB. We determined that the limited use of these data calls into question OMB's requirement that such incidents be reported within 1 hour. US- CERT officials also noted that the vast majority of PII-related data breaches are not cybersecurity related--that is, they do not involve attacks on or threats to government systems or networks. Thus receiving information about such incidents on an individual basis may not be useful to the office in pursuing its mission. Finally, we reported that seven of the eight agencies in our review had not requested technical assistance from US-CERT when PII data breaches occurred. DHS officials said that US-CERT is not equipped to assist agencies in remediating paper-based incidents, and agencies agreed that issues they encounter in dealing with PII breaches are generally best addressed by agency general counsel staff or privacy officers. DHS's Privacy Office has developed guidance that addresses agencies' obligations to protect PII and procedures to follow when a suspected PII incident occurs, but this is geared more toward developing agency response capabilities in general rather than supporting decision-making related to specific incidents. In our report, we recommended that OMB revise its guidance on federal agencies' response to PII-related data breaches to include (1) guidance on notifying affected individuals based on a determination of the level of risk; (2) criteria for determining whether to offer assistance, such as credit monitoring, to affected individuals; and (3) revised requirements for reporting PII-related breaches to US- CERT. In commenting on our draft report, officials from OMB's Office of Information and Regulatory Affairs stated that our recommendation did not sufficiently specify what supplemental guidance was needed; we subsequently revised the draft recommendation to provide greater specificity. We also made a number of recommendations to the individual agencies in our review to improve their response to data breaches involving PII. Specifically, we recommended, among other things, that several of the agencies (1) consistently document risk levels and how those levels are determined for PII-related data breach incidents; (2) document the number of affected individuals for each incident; and (3) identify lessons learned from responses to PII breaches. Agencies varied in the extent to which they concurred with these recommendations, with some providing information pertaining to the recommendations. In response to agencies' comments, we clarified or deleted three draft recommendations but retained the rest as still warranted. Agencies Need to Improve Cyber Incident Response Practices: In a forthcoming report, to be issued later this spring, we plan to provide the results of our study of federal agencies' ability to respond to cyber incidents.[Footnote 18] More specifically, we have determined the extent to which (1) federal agencies are effectively responding to cyber incidents, and (2) DHS is providing cybersecurity incident assistance to agencies. While these results are still subject to revision, we estimate, based on a statistical sample of cyber incidents reported in fiscal year 2012, that the 24 major federal agencies did not effectively or consistently demonstrate actions taken in response to a detected cyber incident in about 65 percent of reported incidents.[Footnote 19] For example, agencies identified the scope of incidents in the majority of cases, but did not always demonstrate that they had determined the impact of an incident. In addition, agencies did not consistently demonstrate how they had handled other key activities, such as whether actions to prevent the recurrence of an incident were taken. We also reviewed six selected agencies in greater depth and found that, while they had developed parts of policies, plans, and procedures to guide incident response activities, their efforts were not comprehensive or fully consistent with federal requirements. The inconsistencies in agencies' incident response activities suggest that additional oversight, such as that provided by OMB and DHS during the CyberStat review process,[Footnote 20] may be warranted. However, these meetings generally have not covered agencies' incident response practices. With regard to DHS's role, we observed that DHS provides various services to agencies to assist them in preparing to handle incidents, maintain awareness of the current threat environment, and deal with ongoing incidents. However, opportunities exist to enhance the usefulness of these services, such as improving reporting requirements and evaluating the effectiveness of these services. To improve the effectiveness of government-wide cyber incident response activities, we are planning to make recommendations to OMB and DHS to address agency response practices. We also plan to make recommendations to the six selected agencies in our review to improve their cyber incident response programs. In summary, the increasing number of cyber incidents at federal agencies, many involving the compromise of PII, highlights the need for focused agency action to ensure the security of the large amount of sensitive personal information collected by the federal government. These actions include establishing comprehensive agency-wide information security programs and consistently and effectively responding to incidents when they occur. As we and inspectors general have long pointed out, federal agencies continue to face challenges in effectively implementing all elements of their information security programs. Likewise, agencies have not been consistent or fully effective in responding to data breaches and cyber incidents. Ongoing improvements in these areas are needed to help ensure that the personal information entrusted to the government by American citizens and other individuals will be protected. Chairman Carper, Ranking Member Dr. Coburn, and Members of the Committee, this concludes my statement. I would be happy to answer any questions you may have. Contact and Acknowledgments: If you have any questions regarding this statement, please contact Gregory C. Wilshusen at (202) 512-6244 or wilshuseng@gao.gov. Other key contributors to this statement include John A. de Ferrari and Jeffrey Knott (assistant directors), Larry E. Crosland, Marisol Cruz, and Lee McCracken. [End of section] Footnotes: [1] PII is any information that can be used to distinguish or trace an individual's identity, such as name, date, and place of birth, Social Security number, or other types of personal information that can be linked to an individual, such as medical, educational, financial, and employment information. [2] The term "data breach" generally refers to the unauthorized or unintentional exposure, disclosure, or loss of sensitive information, including PII. [3] GAO, High-Risk Series: An Update, [hyperlink, http://www.gao.gov/products/GAO-13-283] (Washington, D.C.: February 2013). [4] PII-related incidents can include both cyber-and non-cyber-related incidents. [5] Department of Energy, Office of the Inspector General, The Department of Energy's July 2013 Cyber Security Breach, DOE/IG-0900 (Washington, D.C.: Dec. 6, 2013). [6] GAO, Federal Information Security: Mixed Progress in Implementing Program Components; Improved Metrics Needed to Measure Effectiveness, [hyperlink, http://www.gao.gov/products/GAO-13-776] (Washington, D.C.: Sept. 26, 2013). [7] The 24 major departments and agencies are the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, Housing and Urban Development, the Interior, Justice, Labor, State, Transportation, the Treasury, and Veterans Affairs; the Environmental Protection Agency, General Services Administration, National Aeronautics and Space Administration, National Science Foundation, Nuclear Regulatory Commission, Office of Personnel Management, Small Business Administration, Social Security Administration, and U.S. Agency for International Development. [8] An additional 2 agencies did not fully evaluate this program component in 2012. [9] One additional agency did not fully evaluate this program component in fiscal year 2012. [10] One additional agency did not fully evaluate this program component in fiscal year 2012. [11] One additional agency did not fully evaluate this program component in fiscal year 2012. [12] GAO, Federal Information System Controls Audit Manual (FISCAM), [hyperlink, http://www.gao.gov/products/GAO-09-232G] (Washington, D.C.: February 2009). [13] A material weakness is a deficiency, or combination of deficiencies, that results in more than a remote likelihood that a material misstatement of the financial statements will not be prevented or detected. A significant deficiency is a deficiency, or combination of deficiencies, in internal control that is less severe than a material weakness, yet important enough to merit attention by those charged with governance. A control deficiency exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect and correct misstatements on a timely basis. [14] These practices were specified in guidance documents issued by OMB and NIST. See OMB, Safeguarding Against and Responding to the Breach of Personally Identifiable Information, M-07-16 (Washington, D.C.: May 22, 2007); and NIST, Computer Security Incident Handling Guide: Recommendations of the National Institute of Standards and Technology, NIST Special Publication 800-61, Revision 2 (Gaithersburg, Md.: August 2012). [15] GAO, Information Security: Agency Responses to Breaches of Personally Identifiable Information Need to Be More Consistent, [hyperlink, http://www.gao.gov/products/GAO-14-34] (Washington, D.C.: Dec. 9, 2013). [16] These agencies were the Centers for Medicare & Medicaid Services, Department of the Army, Department of Veterans Affairs, Federal Deposit Insurance Corporation, Federal Reserve Board, Federal Retirement Thrift Investment Board, Internal Revenue Service, and Securities and Exchange Commission. [17] We did not include FRTIB in our analysis of agency implementation of key operational practices because it reported experiencing only one incident involving PII in fiscal year 2012. [18] GAO, Information Security: Agencies Need to Improve Cyber Incident Response Practices, [hyperlink, http://www.gao.gov/products/GAO-14-354] (forthcoming). [19] There is 95 percent confidence that the estimate falls between 58 and 72 percent. [20] CyberStat reviews are in-depth sessions with National Security Staff, OMB, DHS, and an agency to discuss that agency's cybersecurity posture and opportunities for collaboration. [End of section] GAO's Mission: The Government Accountability Office, the audit, evaluation, and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through GAO's website [hyperlink, http://www.gao.gov]. Each weekday afternoon, GAO posts on its website newly released reports, testimony, and correspondence. To have GAO e-mail you a list of newly posted products, go to [hyperlink, http://www.gao.gov] and select "E-mail Updates." Order by Phone: The price of each GAO publication reflects GAO's actual cost of production and distribution and depends on the number of pages in the publication and whether the publication is printed in color or black and white. Pricing and ordering information is posted on GAO's website, [hyperlink, http://www.gao.gov/ordering.htm]. Place orders by calling (202) 512-6000, toll free (866) 801-7077, or TDD (202) 512-2537. Orders may be paid for using American Express, Discover Card, MasterCard, Visa, check, or money order. Call for additional information. Connect with GAO: Connect with GAO on facebook, flickr, twitter, and YouTube. Subscribe to our RSS Feeds or E mail Updates. Listen to our Podcasts. Visit GAO on the web at [hyperlink, http://www.gao.gov]. To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Website: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]; E-mail: fraudnet@gao.gov; Automated answering system: (800) 424-5454 or (202) 512-7470. Congressional Relations: Katherine Siggerud, Managing Director, siggerudk@gao.gov: (202) 512-4400: U.S. Government Accountability Office: 441 G Street NW, Room 7125: Washington, DC 20548. Public Affairs: Chuck Young, Managing Director, youngc1@gao.gov: (202) 512-4800: U.S. Government Accountability Office: 441 G Street NW, Room 7149: Washington, DC 20548. [End of document]