Federal Information Security:
Actions Needed to Address Challenges
GAO-16-885T: Published: Sep 19, 2016. Publicly Released: Sep 20, 2016.
Additional Materials:
- Highlights Page:
- Full Report:
- Accessible Version:
Contact:
(202) 512-6244
wilshuseng@gao.gov
Office of Public Affairs
(202) 512-4800
youngc1@gao.gov
What GAO Found
Cyber incidents affecting federal agencies have continued to grow, increasing about 1,300 percent from fiscal year 2006 to fiscal year 2015.
Cyber Incidents Reported by Federal Agencies, Fiscal Year 2006--2015
Several laws and policies establish a framework for the federal government's information security and assign implementation and oversight responsibilities to key federal entities, including the Office of Management and Budget, executive branch agencies, and the Department of Homeland Security (DHS).
However, implementation of this framework has been inconsistent, and additional actions are needed:
Effectively implement risk-based information security programs. Agencies have been challenged to fully and effectively establish and implement information security programs. They need to enhance capabilities to identify cyber threats, implement sustainable processes for securely configuring their computer assets, patch vulnerable systems and replace unsupported software, ensure comprehensive testing and evaluation of their security on a regular basis, and strengthen oversight of IT contractors.
Improve capabilities for detecting, responding to, and mitigating cyber incidents. Even with strong security, organizations can continue to be victimized by attacks exploiting previously unknown vulnerabilities. To address this, DHS needs to expand the capabilities and adoption of its intrusion detection and prevention system, and agencies need to improve their practices for responding to cyber incidents and data breaches.
Expand cyber workforce and training efforts. Ensuring that the government has a sufficient cybersecurity workforce with the right skills and training remains an ongoing challenge. Government-wide efforts are needed to better recruit and retain a qualified cybersecurity workforce and to improve workforce planning activities at agencies.
Why GAO Did This Study
The dependence of federal agencies on computerized information systems and electronic data makes them potentially vulnerable to a wide and evolving array of cyber-based threats. Securing these systems and data is vital to the nation's safety, prosperity, and well-being.
Because of the significance of these risks and long-standing challenges in effectively implementing information security protections, GAO has designated federal information security as a government-wide high-risk area since 1997. In 2003 this area was expanded to include computerized systems supporting the nation's critical infrastructure, and again in February 2015 to include protecting the privacy of personally identifiable information collected, maintained, and shared by both federal and nonfederal entities.
GAO was asked to provide a statement on laws and policies shaping the federal IT security landscape and actions needed for addressing long-standing challenges to improving the nation's cybersecurity posture. In preparing this statement, GAO relied on previously published work.
Over the past several years, GAO has made about 2,500 recommendations to federal agencies to enhance their information security programs and controls. As of September 16, 2016, about 1,000 have not been implemented.
For more information, contact Gregory C. Wilshusen at (202) 512-6244 or wilshuseng@gao.gov.
May 27, 2020
Cybersecurity:
Selected Federal Agencies Need to Coordinate on Requirements and Assessments of StatesGAO-20-123: Published: May 27, 2020. Publicly Released: May 27, 2020.
May 13, 2020
-
Management Report:
Improvements Are Needed to Enhance the Internal Revenue Service's Information System Security ControlsGAO-20-411R: Published: May 13, 2020. Publicly Released: May 13, 2020.
Apr 24, 2020
-
Information Security:
FCC Made Significant Progress, but Needs to Address Remaining Control Deficiencies and Improve Its ProgramGAO-20-265: Published: Mar 25, 2020. Publicly Released: Apr 24, 2020.
Apr 13, 2020
-
Cybersecurity:
DOD Needs to Take Decisive Actions to Improve Cyber HygieneGAO-20-241: Published: Apr 13, 2020. Publicly Released: Apr 13, 2020.
Feb 11, 2020
-
Office of Congressional Workplace Rights:
Weaknesses in Cybersecurity Management and Oversight Need to Be AddressedGAO-20-199: Published: Feb 11, 2020. Publicly Released: Feb 11, 2020.
Dec 12, 2019
-
Cloud Computing Security:
Agencies Increased Their Use of the Federal Authorization Program, but Improved Oversight and Implementation Are NeededGAO-20-126: Published: Dec 12, 2019. Publicly Released: Dec 12, 2019.
Sep 25, 2019
-
Critical Infrastructure Protection:
Actions Needed to Address Significant Cybersecurity Risks Facing the Electric GridGAO-19-332: Published: Aug 26, 2019. Publicly Released: Sep 25, 2019.
Jul 26, 2019
-
Federal Information Security:
Agencies and OMB Need to Strengthen Policies and PracticesGAO-19-545: Published: Jul 26, 2019. Publicly Released: Jul 26, 2019.
Jul 25, 2019
-
Cybersecurity:
Agencies Need to Fully Establish Risk Management Programs and Address ChallengesGAO-19-384: Published: Jul 25, 2019. Publicly Released: Jul 25, 2019.
Jul 18, 2019
-
Management Report:
Improvements Are Needed to Enhance the Internal Revenue Service's Information System Security ControlsGAO-19-474R: Published: Jul 18, 2019. Publicly Released: Jul 18, 2019.
Looking for more? Browse all our products here
Explore our Key Issues on Information Security
Explore our other Key Issues here
