Key Issues > Ensuring the Security of Federal Information Systems and Cyber Critical Infrastructure and Protecting the Privacy of Personally Identifiable Information - High Risk Issue
information security icon, source: GAO

Ensuring the Security of Federal Information Systems and Cyber Critical Infrastructure and Protecting the Privacy of Personally Identifiable Information - High Risk Issue

Pervasive and sustained cyberattacks against the United States could have a potentially devastating impact on the nation’s computer networks and systems, disrupting the operations of the federal government, critical infrastructure, and the lives of private individuals.

  1. Share with Facebook 
  2. Share with Twitter 
  3. Share with LinkedIn 
  4. Share with mail 

Federal agencies and the nation’s critical infrastructures—such as energy, transportation systems, communications, and financial services—are dependent on computerized (cyber) information systems and electronic data to carry out operations and to process, maintain, and report essential information.

The security of these systems and data is vital to public confidence and the nation’s safety, prosperity, and well-being. Safeguarding federal computer systems and the systems that support critical infrastructures—referred to as cyber critical infrastructure protection—is a continuing concern. The security of federal cyber assets has been on GAO’s High Risk list since 1997. The area has since been expanded to include the protection of critical cyber infrastructure and the privacy of personally identifiable information (PII) that is collected, maintained, and shared by both federal and nonfederal entities. PII is any information that can be used to distinguish or trace an individual’s identity, such as name, date and place of birth, Social Security number, or other types of personal information that can be linked to an individual, such as medical, educational, financial, and employment information.  

Risks to cyber assets can originate from unintentional and intentional threats. These include insider threats from disaffected or careless employees and business partners and escalating and emerging threats from around the globe. The steady advance in the sophistication of attack technology, and the emergence of new and more destructive attacks also pose risks. The ineffective protection of cyber assets can facilitate security incidents and cyberattacks that disrupt critical operations; lead to inappropriate access to and disclosure, modification, or destruction of sensitive information; and threaten national security, economic well-being, and public health and safety.

Regarding PII, advancements in technology, such as new search technology and data analytics software for searching and collecting information, have made it easier for individuals and organizations to correlate data and track it across large and numerous databases. In addition, lower data storage costs have made it less expensive to store vast amounts of data. Also, ubiquitous Internet and cellular connectivity facilitates the tracking of individuals by allowing easy access to information pinpointing their location. These advances—combined with the increasing sophistication of hackers and others with malicious intent, and the extent to which both federal agencies and private companies collect sensitive information about individuals—have increased the risk of PII being exposed and compromised.

Over the last several years, GAO has made about 2,500 recommendations to agencies aimed at improving their implementation of information security controls. These recommendations identify actions for agencies to take in protecting their information and systems. Other recommendations were for agencies to fully implement their information security programs and better protect the privacy of PII held on their systems. However, many agencies continue to have weaknesses in implementing these controls, in part because many of these recommendations have not been implemented. As of October 2016, about 1,000 of the information security-related recommendations had not been implemented.

Looking for our recommendations? Click on any report to find each associated recommendation and its current implementation status.

More Reports



2015 Update to GAO's High Risk ListWednesday, February 11, 2015
  • portrait of Gregory C. Wilshusen
    • Gregory C. Wilshusen
    • Director, Information Security Issues
    • (202) 512-6244