What We Found
Federal agencies and other entities need to take urgent actions to implement a comprehensive cybersecurity strategy, perform effective oversight, secure federal systems, and protect cyber critical infrastructure, privacy, and sensitive data.
Since our previous 2019 High-Risk Report, ratings for one criterion—leadership commitment—declined from met to partially met. The other four criteria remain unchanged.
Leadership commitment: partially met. The White House’s September 2018 National Cyber Strategy and the National Security Council’s (NSC) accompanying June 2019 Implementation Plan detailed the executive branch’s approach to managing the nation’s cybersecurity. In addition, in September 2020, we reported that the White House identified the NSC as the organization responsible for coordinating the implementation of the National Cyber Strategy.
In light of the elimination of the White House Cybersecurity Coordinator position in May 2018, it had remained unclear what official within the executive branch is to ultimately be responsible for coordinating the execution of the Implementation Plan and holding federal agencies accountable for the plan’s nearly 200 activities moving forward. In January 2021, Congress enacted a statute that established the Office of the National Cyber Director within the Executive Office of the President.
The office is to be headed by a Senate-confirmed National Cyber Director and is to, among other things, coordinate cybersecurity policy and operations across the executive branch. Once this position is filled, the White House can (1) ensure that entities are effectively executing their assigned activities intended to support the nation’s cybersecurity strategy, and (2) coordinate the government’s efforts to overcome the nation’s cyber-related threats and challenges.
It is also important for the United States to have sufficient leadership in building consensus among international organizations regarding internet standards and cultivating norms for acceptable state behavior in cyberspace. In June 2019, the Department of State (State) notified Congress of its intent to establish a new Bureau of Cyberspace Security and Emerging Technologies (CSET) that would focus on cyberspace security and the security aspects of emerging technologies.
However, we reported in September 2020 that officials from six agencies that work with State on cyber diplomacy issues stated that (1) they were unaware of State’s plan to develop CSET, and (2) being informed of State’s plan for CSET could be helpful for maintaining their communications with State. We recommended in September 2020 that State involve federal agencies that contribute to cyber diplomacy to obtain their views and identify any risks, as it implements its plan to establish CSET.
We also reported in July 2020 that the United States does not have a comprehensive internet privacy law governing the collection, use, and sale of personal information by private-sector companies. In addition, no federal law expressly regulates the commercial use of facial recognition technology, including the identifying and tracking of individuals.
Further, in most contexts, federal law does not address how personal data derived from facial recognition technology may be used or shared. As we previously reported, the Federal Trade Commission lacks explicit and comprehensive authority related to privacy issues and the Federal Communications Commission has had a limited role in overseeing internet privacy.
Capacity: partially met. In July 2019, we reported that the Office of Management and Budget (OMB) and the Department of Homeland Security (DHS) had several initiatives under way to assist agencies in meeting challenges related to hiring and retaining cybersecurity risk management personnel. For example, one such initiative included a program offering current federal employees who do not work in the information technology (IT) field the opportunity for hands-on training in cybersecurity for 3 months to help them build foundational skills in cyber defense analysis.
However, federal agencies have not fully assessed and addressed future agency cybersecurity workforce needs. In particular, we reported in March 2019 that the 24 Chief Financial Officers (CFO) Act agencies had likely miscategorized the work roles of many IT and cybersecurity positions. For example, at least 22 of the 24 agencies designated positions as not performing IT, cybersecurity, or cyber-related functions, when they did most likely perform these functions.
In addition, in October 2019, we reported that none of the 24 CFO Act agencies that we reviewed had fully implemented best practices for IT/cybersecurity workforce planning activities. Agencies’ limited implementation of these activities has been due, in part, to not making IT/cybersecurity workforce planning a priority, although laws and guidance have called for them to do so for more than 20 years. Until this occurs, agencies will likely not have the staff with the necessary knowledge, skills, and abilities to address cybersecurity risks and challenges.
In addition, federal and nonfederal critical infrastructure entities continue to face challenges in ensuring that their cybersecurity workforce has the appropriate skills. For example, according to an assessment from the Department of Energy (DOE), the electricity subsector continues to face challenges in recruiting and maintaining experts with strong knowledge of cybersecurity practices, as well as knowledge of industrial control systems supporting the electric grid.
Further, we reported in October 2020 that the Federal Aviation Administration does not currently have a staff training program specific to avionics cybersecurity and none of the agency’s certification staff are required to take cybersecurity training tailored to their oversight roles. Until these challenges are resolved, federal and nonfederal critical infrastructure entities may not have the expertise necessary to address the increasing cybersecurity risks to their systems.
Action plan: partially met. As previously mentioned, the National Cyber Strategy and associated implementation plan outline the executive branch’s approach to cybersecurity that federal agencies are to undertake. However, in September 2020, we reported that the strategy and implementation plan address some, but not all, of the desirable characteristics of national strategies.
For example, although the implementation plan detailed 191 activities that federal entities are to undertake, the plan did not include goals and timelines for 46 of the activities, identify the resources needed to execute 160 activities, or specify a process for monitoring agency progress.
Without a consistent approach to engaging with responsible entities and a comprehensive understanding of what is needed to implement all 191 activities, the executive branch will face challenges in ensuring that the National Cyber Strategy is efficiently executed.
In addition, although sector-specific agencies have developed subordinate strategies for addressing cybersecurity risks and challenges to critical infrastructure, these strategies did not always address the characteristics needed for such strategies. For example, in August 2019, we found that the nation’s electrical grid was becoming more vulnerable to cyberattacks—particularly those involving industrial control systems that support grid operations.
Although DOE had developed plans and an assessment to implement a federal strategy for addressing grid cybersecurity risks, these documents did not fully address all of the characteristics needed for a national strategy, such as conducting a risk assessment that had significant methodological limitations and did not fully analyze grid cybersecurity risks.
Further, although federal agencies have taken steps to develop plans for managing their cybersecurity risks, agencies have not consistently implemented those plans. For example, we reported in July 2019 that only 15 of 23 civilian CFO Act agencies had policies that called for the prioritization of plans of action and milestones (POA&M)—that is, plans that identify the corrective actions needed to remediate cybersecurity deficiencies.
In addition, we reported that 13 of 16 selected agencies had deficiencies in their processes for managing POA&Ms, such as inadequately documenting or tracking their status. As another example, in April 2020, we reported that the Department of Defense (DOD) had not fully implemented three of its key initiatives aimed at managing the department’s most common and pervasive risks. Without consistent implementation of plans for addressing cybersecurity risks, agencies may not be taking the foundational steps needed to ensure that sensitive data is not lost or agency systems are not compromised.
Monitoring: partially met. Although DHS, the General Services Administration (GSA), and OMB have established various programs aimed at helping agencies monitor and address cybersecurity risks, agencies have been challenged in implementing them, for example, in the following areas:
- Continuous diagnostics and mitigation (CDM). DHS established the CDM program to allow federal agencies to automate network monitoring, correlate and analyze security-related information, and enhance risk-based decision-making at both the individual agency and federal levels. We reported in August 2020 that, while the three selected agencies reported that the program improved their network awareness, none of the three agencies had effectively implemented all key CDM program requirements.
- Federal Risk and Authorization Management Program (FedRAMP). Established by OMB and managed by GSA, the FedRAMP program is intended to provide a standardized approach to securing systems, assessing security controls, and continuously monitoring cloud services used by federal agencies. However, we reported in December 2019 that, while OMB required agencies to use FedRAMP to authorize the use of cloud services, it did not monitor or ensure that agencies were doing so.
We also reported that FedRAMP participants identified a number of challenges, such as a lack of agency resources required to authorize a cloud service or those needed by the provider to implement the program’s requirements. While GSA had taken steps aimed at addressing these challenges, its guidance on FedRAMP’s requirements and participant’s responsibilities were not always clear and the program’s process for monitoring the status of security controls over cloud services was limited.
- DHS binding operational directives. DHS has established a five-step process for developing and overseeing the implementation of binding operational directives (i.e., mandatory requirements for certain civilian executive branch departments and agencies to safeguard federal information and information systems). The process includes validating agencies’ actions on the directives.
We reported in February 2020 that, although DHS had carried out its validation process for selected directives, it had not done so for others. DHS was not well positioned to validate all directives because it lacked a strategy and risk-based approach to check selected agency-reported actions to validate their completion.
In addition, we reported in July 2019 that, with certain exceptions, OMB was generally implementing its government-wide Federal Information Security Modernization Act requirements, including issuing guidance and implementing programs that are intended to improve agencies' information security. However, we noted that OMB had reduced the number of CyberStat meetings (i.e., meetings held in coordination with DHS to engage agency leadership to ensure that agencies are taking the appropriate actions to strengthen their cybersecurity posture).
Specifically, it held 24 meetings in fiscal year 2016 and only three meetings in fiscal year 2018—thereby restricting key activities for overseeing agencies' implementation of information security. Additionally, in May 2019, we reported that OMB had not issued guidance requiring agencies to report on their progress in implementing National Institute of Standards and Technology’s identity proofing guidance (i.e., processes for verifying that individuals who apply online for benefits and services are who they say they are).
Further, sector-specific agencies—agencies that assist in protecting critical infrastructure owners and operators, including enhancing cybersecurity—continue to face challenges in measuring progress that critical infrastructure entities are making toward addressing cybersecurity risks. For example:
- We reported in February 2020 that most of the sector-specific agencies had not developed methods to determine their level and type of cybersecurity framework adoption, as we previously recommended. Specifically, only two of the nine sector-specific agencies—DOD in collaboration with the defense industrial base sector and GSA in conjunction with DHS’s Federal Protective Service—had methods to determine the level and type of framework adoption across their respective sectors.
- We reported in September 2020 that the Department of the Treasury (Treasury)—the designated lead agency for the financial sector—had not fully implemented our previous recommendation to establish metrics related to the value and results of the sector’s cyber risk mitigation efforts. Specifically, the department’s 2016 sector-specific plan, which was to direct the sector’s activities, did not identify ways to measure sector progress and was out of date. Treasury also did not track the content or progress of ongoing cyber risk mitigation efforts within the sector to minimize duplication or ensure results.
Demonstrated progress: partially met. Since 2010, we have made more than 3,300 recommendations to agencies aimed at addressing cybersecurity challenges facing the government— over 500 of which were made since the last high-risk update in March 2019. While agencies have implemented a majority of our recommendations, many face challenges in safeguarding their information systems and information, in part, because many of these recommendations have not been fully implemented.
Specifically, of the roughly 3,300 recommendations made since 2010, more than 750 had not been fully implemented as of December 2020. We have also designated 103 as priority recommendations, meaning that we believe these recommendations warrant priority attention from heads of key departments and agencies. As of December 2020, 67 of our priority recommendations had not been fully implemented.
Federal agencies and our nation’s critical infrastructures—such as energy, transportation systems, communications, and financial services—are dependent on IT systems and electronic data to carry out operations and to process, maintain, and report essential information. The security of these systems and data is vital to public confidence and national security, prosperity, and well-being.
Because many of these systems contain vast amounts of personally identifiable information (PII) and other sensitive information, agencies must protect the confidentiality, integrity, and availability of this information. In addition, they must effectively respond to data breaches and security incidents when they occur.
The risks to IT systems supporting the federal government and the nation’s critical infrastructure are increasing, including insider threats from witting or unwitting employees, escalating and emerging threats from around the globe, and the emergence of new and more destructive attacks.
We have designated information security as a government-wide high-risk area since 1997. We expanded this high-risk area in 2003 to include protection of critical cyber infrastructure and, in 2015, to include protecting the privacy of PII.
Based on our prior work, we have identified four major cybersecurity challenges:
- establishing and implementing a comprehensive cybersecurity strategy and performing effective oversight,
- securing federal systems and information,
- protecting cyber critical infrastructure, and
- protecting privacy and sensitive data
To address these challenges, we have identified 10 critical actions that the federal government and other entities need to take (see figure 9).
Figure 9: Ten Critical Actions Needed to Address Four Major Cybersecurity Challenges
Recent events highlight the urgent need to address the 10 critical actions. In December 2020, the Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive and alert explaining that an advanced persistent threat actor had been observed leveraging, among other techniques, a software supply chain compromise of an enterprise network management software suite to conduct a cyberattack campaign against U.S. government agencies, critical infrastructure entities, and private sector organizations.
According to CISA, this threat poses a grave risk to the federal, state, local, tribal, and territorial governments, as well as critical infrastructure entities and other private sector organizations. Subsequently, in December 2020, the Federal Bureau of Investigation, CISA, and the Office of the Director of National Intelligence formed a Cyber Unified Coordination Group to coordinate a whole of government response to the significant and ongoing cyberattack campaign.
Agencies need to urgently address the 10 critical actions to effectively respond to this incident and, thus, better position the nation to prevent, or more quickly detect and mitigate the damage of, future cyberattacks. In particular:
- Develop and execute a more comprehensive federal strategy for national cybersecurity and global cyberspace. As previously mentioned, the position of National Cyber Director needs to be filled to coordinate the execution of a national cyber strategy, including implementing activities necessary to effectively respond to significant cybersecurity incidents.
- Mitigate global supply chain risks. We reported in December 2020 that none of the 23 civilian CFO Act agencies had fully implemented seven selected foundational practices for managing information and communications technology supply chain risks. Those agencies need to address the 145 recommendations that we made to address those weaknesses.
- Enhance the federal response to cyber incidents. In July 2019, we reported that most of 16 selected federal agencies had deficiencies in at least one of the activities associated with incident response processes. We and the inspectors general have made thousands of recommendations aimed at improving information security programs and practices—including those relating to incident response processes over the years; however, many of these recommendations remain unimplemented.
We have ongoing work reviewing the federal response to the above-mentioned significant cyberattack campaign.
Congressional Actions Needed
We previously suggested in May 2008 that Congress consider amending laws, such as the Privacy Act of 1974 and the E-Government Act of 2002, because they may not consistently protect personally identifiable information (PII) (i.e., any information that can be used to distinguish an individual's identity).
Specifically, we found that while these laws and guidance set minimum requirements for agencies, they may not consistently protect PII in all circumstances of its collection and use throughout the federal government, and may not fully adhere to key privacy principles. However, our suggested revisions to the Privacy Act of 1974 and the E-Government Act of 2002 had not been enacted as of December 2020.
We also suggested in September 2013 that Congress consider strengthening the consumer privacy framework and review issues such as the adequacy of consumers’ ability to access, correct, and control their personal information, and privacy controls related to new technologies such as web tracking and mobile devices. However, these suggested changes had not been enacted as of December 2020.