Skip to Highlights
Highlights

Federal agencies are facing a set of emerging cybersecurity threats that are the result of increasingly sophisticated methods of attack and the blending of once distinct types of attack into more complex and damaging forms. Examples of these threats include spam (unsolicited commercial e-mail), phishing (fraudulent messages to obtain personal or sensitive data), and spyware (software that monitors user activity without user knowledge or consent). To address these issues, GAO was asked to determine (1) the potential risks to federal systems from these emerging cybersecurity threats, (2) the federal agencies' perceptions of risk and their actions to mitigate them, (3) federal and private-sector actions to address the threats on a national level, and (4) governmentwide challenges to protecting federal systems from these threats.

Skip to Recommendations

Recommendations

Recommendations for Executive Action

Agency Affected Recommendation Status
Office of Management and Budget In order to more effectively prepare for and address emerging cybersecurity threats, the Director, Office of Management and Budget, should ensure that agencies' information security programs required by FISMA address the risk of emerging cybersecurity threats such as spam, phishing, and spyware, including performing periodic risk assessments; implementing risk-based policies and procedures to mitigate identified risks; providing security-awareness training; and establishing procedures for detecting, reporting, and responding to incidents of emerging cybersecurity threats.
Closed - Implemented
In July 2006, we verified that OMB has fulfilled our recommendation by adding questions regarding emerging technology to the FY 2005 Instructions for Preparing the Federal Information Security Management Act Report. Furthermore, these questions ask agencies if they have documented in its security policies special procedures for using emerging technologies and countering emerging threats. OMB will consider agency responses when determining whether it approves or disapproves agency security programs as part of the FY06 review cycle.
Office of Management and Budget In order to more effectively prepare for and address emerging cybersecurity threats, the Director, Office of Management and Budget, should coordinate with the Secretary of Homeland Security and the Attorney General to establish governmentwide guidance for agencies on how to (1) address emerging cybersecurity threats and (2) report incidents to a single government entity, including clarifying the respective roles, responsibilities, processes, and procedures for federal entities--including homeland security and law enforcement.
Closed - Implemented
In July 2006, we verified that OMB has fulfilled our recommendation by distributing a ?Concept of Operations for Federal Cyber Security Incident Handling? to Chief Information Officers in May of 2005. CONOPS contains a common set of incident terms and clarifies the roles, responsibilities, processes, and procedures for federal entities involved in incident reporting and response, including homeland security and law enforcement. Furthermore, OMB claims that DHS?s National Cyber Security Division continues to publish alerts on, and guidance on how to combat, a variety of emerging cybersecurity threats.

Full Report

GAO Contacts