Federal Information Security:
Actions Needed to Address Challenges
GAO-16-885T: Published: Sep 19, 2016. Publicly Released: Sep 20, 2016.
Additional Materials:
- Highlights Page:
- Full Report:
- Accessible Version:
Contact:
(202) 512-6244
wilshuseng@gao.gov
Office of Public Affairs
(202) 512-4800
youngc1@gao.gov
What GAO Found
Cyber incidents affecting federal agencies have continued to grow, increasing about 1,300 percent from fiscal year 2006 to fiscal year 2015.
Cyber Incidents Reported by Federal Agencies, Fiscal Year 2006--2015
Several laws and policies establish a framework for the federal government's information security and assign implementation and oversight responsibilities to key federal entities, including the Office of Management and Budget, executive branch agencies, and the Department of Homeland Security (DHS).
However, implementation of this framework has been inconsistent, and additional actions are needed:
Effectively implement risk-based information security programs. Agencies have been challenged to fully and effectively establish and implement information security programs. They need to enhance capabilities to identify cyber threats, implement sustainable processes for securely configuring their computer assets, patch vulnerable systems and replace unsupported software, ensure comprehensive testing and evaluation of their security on a regular basis, and strengthen oversight of IT contractors.
Improve capabilities for detecting, responding to, and mitigating cyber incidents. Even with strong security, organizations can continue to be victimized by attacks exploiting previously unknown vulnerabilities. To address this, DHS needs to expand the capabilities and adoption of its intrusion detection and prevention system, and agencies need to improve their practices for responding to cyber incidents and data breaches.
Expand cyber workforce and training efforts. Ensuring that the government has a sufficient cybersecurity workforce with the right skills and training remains an ongoing challenge. Government-wide efforts are needed to better recruit and retain a qualified cybersecurity workforce and to improve workforce planning activities at agencies.
Why GAO Did This Study
The dependence of federal agencies on computerized information systems and electronic data makes them potentially vulnerable to a wide and evolving array of cyber-based threats. Securing these systems and data is vital to the nation's safety, prosperity, and well-being.
Because of the significance of these risks and long-standing challenges in effectively implementing information security protections, GAO has designated federal information security as a government-wide high-risk area since 1997. In 2003 this area was expanded to include computerized systems supporting the nation's critical infrastructure, and again in February 2015 to include protecting the privacy of personally identifiable information collected, maintained, and shared by both federal and nonfederal entities.
GAO was asked to provide a statement on laws and policies shaping the federal IT security landscape and actions needed for addressing long-standing challenges to improving the nation's cybersecurity posture. In preparing this statement, GAO relied on previously published work.
Over the past several years, GAO has made about 2,500 recommendations to federal agencies to enhance their information security programs and controls. As of September 16, 2016, about 1,000 have not been implemented.
For more information, contact Gregory C. Wilshusen at (202) 512-6244 or wilshuseng@gao.gov.
Dec 12, 2019
Cloud Computing Security:
Agencies Increased Their Use of the Federal Authorization Program, but Improved Oversight and Implementation Are NeededGAO-20-126: Published: Dec 12, 2019. Publicly Released: Dec 12, 2019.
Sep 25, 2019
-
Critical Infrastructure Protection:
Actions Needed to Address Significant Cybersecurity Risks Facing the Electric GridGAO-19-332: Published: Aug 26, 2019. Publicly Released: Sep 25, 2019.
Jul 26, 2019
-
Federal Information Security:
Agencies and OMB Need to Strengthen Policies and PracticesGAO-19-545: Published: Jul 26, 2019. Publicly Released: Jul 26, 2019.
Jul 25, 2019
-
Cybersecurity:
Agencies Need to Fully Establish Risk Management Programs and Address ChallengesGAO-19-384: Published: Jul 25, 2019. Publicly Released: Jul 25, 2019.
Jul 18, 2019
-
Management Report:
Improvements Are Needed to Enhance the Internal Revenue Service's Information System Security ControlsGAO-19-474R: Published: Jul 18, 2019. Publicly Released: Jul 18, 2019.
Jun 14, 2019
-
Data Protection:
Federal Agencies Need to Strengthen Online Identity Verification ProcessesGAO-19-288: Published: May 17, 2019. Publicly Released: Jun 14, 2019.
Mar 27, 2019
-
Data Breaches:
Range of Consumer Risks Highlights Limitations of Identity Theft ServicesGAO-19-230: Published: Mar 27, 2019. Publicly Released: Mar 27, 2019.
Dec 20, 2018
-
Information Security:
Significant Progress Made, but CDC Needs to Take Further Action to Resolve Control Deficiencies and Improve Its ProgramGAO-19-70: Published: Dec 20, 2018. Publicly Released: Dec 20, 2018.
Dec 18, 2018
-
Information Security:
Agencies Need to Improve Implementation of Federal Approach to Securing Systems and Protecting against IntrusionsGAO-19-105: Published: Dec 18, 2018. Publicly Released: Dec 18, 2018.
Dec 6, 2018
-
Cybersecurity:
Federal Agencies Met Legislative Requirements for Protecting Privacy When Sharing Threat InformationGAO-19-114R: Published: Dec 6, 2018. Publicly Released: Dec 6, 2018.
Looking for more? Browse all our products here
Explore our Key Issues on Information Security
Explore our other Key Issues here
