High-Risk Series:
Urgent Actions Are Needed to Address Cybersecurity Challenges Facing the Nation
GAO-18-645T: Published: Jul 25, 2018. Publicly Released: Jul 25, 2018.
Additional Materials:
- Highlights Page:
- Full Report:
- Accessible Version:
- Related WatchBlog Post:
Contact:
(202) 512-9342
MarinosN@gao.gov
Gregory C. Wilshusen
(202) 512-6244
wilshuseng@gao.gov
Office of Public Affairs
(202) 512-4800
youngc1@gao.gov
What GAO Found
GAO has identified four major cybersecurity challenges and 10 critical actions that the federal government and other entities need to take to address them. GAO continues to designate information security as a government-wide high-risk area due to increasing cyber-based threats and the persistent nature of security vulnerabilities.
Ten Critical Actions Needed to Address Four Major Cybersecurity Challenges
GAO has made over 3,000 recommendations to agencies aimed at addressing cybersecurity shortcomings in each of these action areas, including protecting cyber critical infrastructure, managing the cybersecurity workforce, and responding to cybersecurity incidents. Although many recommendations have been addressed, about 1,000 have not yet been implemented. Until these shortcomings are addressed, federal agencies' information and systems will be increasingly susceptible to the multitude of cyber-related threats that exist.
Why GAO Did This Study
Federal agencies and the nation's critical infrastructures—such as energy, transportation systems, communications, and financial services—are dependent on information technology systems to carry out operations. The security of these systems and the data they use is vital to public confidence and national security, prosperity, and well-being.
The risks to these systems are increasing as security threats evolve and become more sophisticated. GAO first designated information security as a government-wide high-risk area in 1997. This was expanded to include protecting cyber critical infrastructure in 2003 and protecting the privacy of personally identifiable information in 2015.
GAO was asked to update its information security high-risk area. To do so, GAO identified the actions the federal government and other entities need to take to address cybersecurity challenges. GAO primarily reviewed prior work issued since the start of fiscal year 2016 related to privacy, critical federal functions, and cybersecurity incidents, among other areas. GAO also reviewed recent cybersecurity policy and strategy documents, as well as information security industry reports of recent cyberattacks and security breaches.
What GAO Recommends
GAO has made over 3,000 recommendations to agencies since 2010 aimed at addressing cybersecurity shortcomings. As of July 2018, about 1,000 still needed to be implemented.
For more information, contact Nick Marinos at (202) 512-9342 or MarinosN@gao.gov or Gregory C. Wilshusen at (202) 512-6244 or wilshuseng@gao.gov.
Sep 25, 2019
Critical Infrastructure Protection:
Actions Needed to Address Significant Cybersecurity Risks Facing the Electric GridGAO-19-332: Published: Aug 26, 2019. Publicly Released: Sep 25, 2019.
Jul 26, 2019
-
Federal Information Security:
Agencies and OMB Need to Strengthen Policies and PracticesGAO-19-545: Published: Jul 26, 2019. Publicly Released: Jul 26, 2019.
Jul 25, 2019
-
Cybersecurity:
Agencies Need to Fully Establish Risk Management Programs and Address ChallengesGAO-19-384: Published: Jul 25, 2019. Publicly Released: Jul 25, 2019.
Jul 18, 2019
-
Management Report:
Improvements Are Needed to Enhance the Internal Revenue Service's Information System Security ControlsGAO-19-474R: Published: Jul 18, 2019. Publicly Released: Jul 18, 2019.
Jun 14, 2019
-
Data Protection:
Federal Agencies Need to Strengthen Online Identity Verification ProcessesGAO-19-288: Published: May 17, 2019. Publicly Released: Jun 14, 2019.
Mar 27, 2019
-
Data Breaches:
Range of Consumer Risks Highlights Limitations of Identity Theft ServicesGAO-19-230: Published: Mar 27, 2019. Publicly Released: Mar 27, 2019.
Dec 20, 2018
-
Information Security:
Significant Progress Made, but CDC Needs to Take Further Action to Resolve Control Deficiencies and Improve Its ProgramGAO-19-70: Published: Dec 20, 2018. Publicly Released: Dec 20, 2018.
Dec 18, 2018
-
Information Security:
Agencies Need to Improve Implementation of Federal Approach to Securing Systems and Protecting against IntrusionsGAO-19-105: Published: Dec 18, 2018. Publicly Released: Dec 18, 2018.
Dec 6, 2018
-
Cybersecurity:
Federal Agencies Met Legislative Requirements for Protecting Privacy When Sharing Threat InformationGAO-19-114R: Published: Dec 6, 2018. Publicly Released: Dec 6, 2018.
Nov 13, 2018
-
Information Security:
OPM Has Implemented Many of GAO's 80 Recommendations, but Over One-Third Remain OpenGAO-19-143R: Published: Nov 13, 2018. Publicly Released: Nov 13, 2018.
Looking for more? Browse all our products here
Explore our Key Issues on Information Security
Explore our other Key Issues here
