Fast Facts

To protect against cyber threats, federal agencies should incorporate key practices in their cybersecurity risk management programs.

These key practices include:

Designating a cybersecurity risk executive

Developing a risk management strategy and policies

Assessing cyber risks

Coordinating between cybersecurity and enterprise-wide risk management functions

All but one of the 23 agencies we reviewed designated a risk executive. However, none of these agencies fully incorporated the other key practices into their programs.

We made 58 recommendations to federal agencies to help improve their cybersecurity risk management programs.

code

code

Skip to Highlights
Highlights

What GAO Found

Key practices for establishing an agency-wide cybersecurity risk management program include designating a cybersecurity risk executive, developing a risk management strategy and policies to facilitate risk-based decisions, assessing cyber risks to the agency, and establishing coordination with the agency's enterprise risk management (ERM) program. Although the 23 agencies GAO reviewed almost always designated a risk executive, they often did not fully incorporate other key practices in their programs:

Twenty-two agencies established the role of cybersecurity risk executive, to provide agency-wide management and oversight of risk management.

Sixteen agencies have not fully established a cybersecurity risk management strategy to delineate the boundaries for risk-based decisions.

Seventeen agencies have not fully established agency- and system-level policies for assessing, responding to, and monitoring risk.

Eleven agencies have not fully established a process for assessing agency-wide cybersecurity risks based on an aggregation of system-level risks.

Thirteen agencies have not fully established a process for coordinating between their cybersecurity and ERM programs for managing all major risks.

Until they address these practices, agencies will face an increased risk of cyber-based incidents that threaten national security and personal privacy.

Agencies identified multiple challenges in establishing and implementing cybersecurity risk management programs (see table).

Agency Challenges in Establishing Cybersecurity Risk Management Programs

Challenge

Agencies reporting challenge

Hiring and retaining key cybersecurity management personnel

23

Managing competing priorities between operations and cybersecurity

19

Establishing and implementing consistent policies and procedures

18

Establishing and implementing standardized technology capabilities

18

Receiving quality risk data

18

Using federal cybersecurity risk management guidance

16

Developing an agency-wide risk management strategy

15

Incorporating cyber risks into enterprise risk management

14

Source: GAO analysis of agency data. | GAO-19-384

In response to a May 2017 executive order, the Office of Management and Budget (OMB) and Department of Homeland Security (DHS) identified areas for improvement in agencies' capabilities for managing cyber risks. Further, they have initiatives under way that should help address four of the challenges identified by agencies—hiring and retention, standardizing capabilities, receiving quality risk data, and using guidance. However, OMB and DHS did not establish initiatives to address the other challenges on managing conflicting priorities, establishing and implementing consistent policies, developing risk management strategies, and incorporating cyber risks into ERM. Without additional guidance or assistance to mitigate these challenges, agencies will likely continue to be hindered in managing cybersecurity risks.

Why GAO Did This Study

Federal agencies face a growing number of cyber threats to their systems and data. To protect against these threats, federal law and policies emphasize that agencies take a risk-based approach to cybersecurity by effectively identifying, prioritizing, and managing their cyber risks. In addition, OMB and DHS play important roles in overseeing and supporting agencies' cybersecurity risk management efforts.

GAO was asked to review federal agencies' cybersecurity risk management programs. GAO examined (1) the extent to which agencies established key elements of a cybersecurity risk management program; (2) what challenges, if any, agencies identified in developing and implementing cybersecurity risk management programs; and (3) steps OMB and DHS have taken to meet their risk management responsibilities and address any challenges agencies face. To do this, GAO reviewed policies and procedures from 23 civilian Chief Financial Officers Act of 1990 agencies and compared them to key federal cybersecurity risk management practices, obtained agencies' views on challenges they faced, identified and analyzed actions taken by OMB and DHS to determine whether they address agency challenges, and interviewed responsible agency officials.

Skip to Recommendations

Recommendations

GAO is making 57 recommendations to the 23 agencies and one to OMB, in coordination with DHS, to assist agencies in addressing challenges. Seventeen agencies agreed with the recommendations, one partially agreed, and four, including OMB, did not state whether they agreed or disagreed. GAO continues to believe all its recommendations are warranted.

Recommendations for Executive Action

Agency Affected Recommendation Status
Office of Management and Budget 1. The Director of OMB should, in coordination with the Secretary of Homeland Security, establish guidance or other means to facilitate the sharing of successful approaches for agencies to address challenges in the areas of (1) managing competing priorities between cybersecurity and operations, such as when operational needs appear to conflict with cybersecurity requirements; (2) implementing consistent cybersecurity risk management policies and procedures across an agency; (3) incorporating cyber risks into enterprise risk management, and (4) establishing agencies' cybersecurity risk management strategies. (Recommendation 1)
Open
The Office of Management and Budget did not say whether or not it concurred with this recommendation. As of March 2021, we had not received information pertaining to this recommendation. Once OMB has provided information, we plan to verify whether implementation has occurred.
Department of Agriculture
Priority Rec.
This is a priority recommendation.
2. The Secretary of Agriculture should develop a cybersecurity risk management strategy that includes the key elements identified in this report. (Recommendation 2)
Open
As of February 2021, USDA had reported that the department has begun developing Cybersecurity Strategy that will align with USDA's governance of its enterprise risk management. The department estimated completing this effort by June 30, 2021.
Department of Agriculture 3. The Secretary of Agriculture should update the department's policies to require (1) the use of risk assessments to inform security control tailoring and (2) the use of risk assessments to inform plan of actions and milestones (POA&M) prioritization. (Recommendation 3)
Open
The Department of Agriculture did not state whether or not it concurred with this recommendation. The department stated that it is developing a Risk Management Framework implementation plan which will include updates to USDA's process guide to ensure informed security control tailoring and updates to USDA's Plan of Actions and Milestones (POA&M) Standard Operation Procedure to inform prioritized POA&M mitigation strategies, through a consistent and repeatable security risk assessment process. As of March 2021, the department had not completed these updates or provided an estimated completion date. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.
Department of Agriculture
Priority Rec.
This is a priority recommendation.
4. The Secretary of Agriculture should establish and document a process for coordination between cybersecurity risk management and enterprise risk management functions. (Recommendation 4)
Open
The Department of Agriculture did not state whether or not it concurred with this recommendation. The department stated that it plans to establish a governance framework for USDA Enterprise Risk Management (ERM), which will provide a platform to increase coordination between stakeholders within the cybersecurity and enterprise risk management functions. As of March 2021, the department had not provided documentation of its process for cybersecurity and ERM coordination. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.
Department of Commerce 5. The Secretary of Commerce should update the department's policies to require (1) an organization-wide cybersecurity risk assessment and (2) the use of risk assessments to inform POA&M prioritization. (Recommendation 5)
Open
The Department of Commerce did not state whether or not it concurred with this recommendation. As of March 2021, we had not received information pertaining to planned actions for this recommendation. Once the department states that it has taken action, we plan to verify whether implementation has occurred.
Department of Commerce
Priority Rec.
This is a priority recommendation.
6. The Secretary of Commerce should establish a process for conducting an organization-wide cybersecurity risk assessment. (Recommendation 6)
Open
The Department of Commerce did not state whether or not it concurred with this recommendation. In February 2021, the department described a process for quarterly and annual organization-wide cybersecurity risk assessments, which provide an opportunity for the DOC Office of the Chief Information Officer (OCIO) to improve cybersecurity risk management strategies based on data gathered from Bureaus and organizational units across DOC. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.
Department of Education
Priority Rec.
This is a priority recommendation.
7. The Secretary of Education should fully develop a cybersecurity risk management strategy that includes the key elements identified in this report. (Recommendation 7)
Closed - Implemented
In April 2020, in response to our recommendation, Education updated its cyber risk management framework to address the missing elements identified in our report. The framework now includes a statement of risk tolerance and acceptable risk response strategies. As a result, Education now has a better organization-wide understanding of acceptable risk levels and appropriate risk response strategies to protect their systems and data.
Department of Energy
Priority Rec.
This is a priority recommendation.
8. The Secretary of Energy should develop a cybersecurity risk management strategy that includes the key elements identified in this report. (Recommendation 8)
Open
The Department of Energy concurred with this recommendation. In February 2021, the department stated that it is developing a department-wide risk management plan, to include a risk management strategy. The department noted the development is still underway and did not provide an estimated completion date. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.
Department of Energy 9. The Secretary of Energy should update the department's policies to require (1) an organization-wide cybersecurity risk assessment and (2) the identification of common controls. (Recommendation 9)
Closed - Implemented
The Department of Energy concurred with this recommendation and has taken steps to implement it. In February 2020, the department sent us its updated policy governing its cybersecurity program. This policy addresses the missing elements by requiring an organization-wide cybersecurity risk assessment and addressing the identification of common controls. Accordingly, we consider this recommendation to be implemented.
Department of Health and Human Services
Priority Rec.
This is a priority recommendation.
10. The Secretary of Health and Human Services should develop a cybersecurity risk management strategy that includes the key elements identified in this report. (Recommendation 10)
Open
The Department of Health and Human Services concurred with this recommendation. In March 2021, the department stated that its cybersecurity risk management strategy is undergoing internal review. The department did not provide a date that the review would be completed. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.
Department of Health and Human Services 11. The Secretary of Health and Human Services should update the department's policies to require (1) an organization-wide cybersecurity risk assessment and (2) the use of risk assessments to inform security control tailoring. (Recommendation 11)
Open
The Department of Health and Human Services partially concurred with this recommendation. In March 2021, the department stated that its policies are undergoing revision and internal review to incorporate the missing elements, and that it expected these to be finalized by September 2021. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.
Department of Health and Human Services
Priority Rec.
This is a priority recommendation.
12. The Secretary of Health and Human Services should establish a process for conducting an organization-wide cybersecurity risk assessment. (Recommendation 12)
Open
The Department of Health and Human Services concurred with this recommendation. In March 2021, the department stated that a process for an organization-wide cybersecurity risk assessment is still under development and did not provide an estimated date of completion. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.
Department of Health and Human Services 13. The Secretary of Health and Human Services should establish and document a process for coordination between cybersecurity risk management and enterprise risk management functions. (Recommendation 13)
Closed - Implemented
The Department of Health and Human Services concurred with this recommendation and has taken steps to implement it. In February 2020, HHS provided evidence to show that it has established a process for coordination between its cybersecurity risk management and enterprise risk management (ERM) functions. Specifically, the department established an Enterprise Risk Management Council to oversee and coordinate the implementation of ERM, in which the department's Chief Information Security Officer (CISO) was added as a voting member in order to provide perspectives on information security and privacy. Additionally, both the CISO and Chief Information Officer (CIO) attend meetings of the ERM council. Accordingly, we consider this recommendation implemented.
Department of Homeland Security
Priority Rec.
This is a priority recommendation.
14. The Secretary of Homeland Security should develop a cybersecurity risk management strategy that includes the key elements identified in this report. (Recommendation 14)
Closed - Implemented
The Department of Homeland Security concurred with this recommendation. In March 2021, DHS provided its OCIO Management Cybersecurity Risk Management Strategy, and the strategy addresses the key elements identified in our report. This includes a statement of risk tolerance and how the agency intends to assess, respond to, and monitor risk. Accordingly, we consider this recommendation implemented.
Department of Homeland Security
Priority Rec.
This is a priority recommendation.
15. The Secretary of Homeland Security should establish and document a process for coordination between cybersecurity risk management and enterprise risk management functions. (Recommendation 15)
Open
The Department of Homeland Security concurred with this recommendation. The department stated that, once developed, its Cybersecurity Risk Management Strategy will incorporate clarifications of the cybersecurity risk executive's role and will be coordinated with the DHS Office of the Chief Financial Officer, other offices within the DHS Management Directorate, and Department Components, as appropriate. As of March 2021, the department had not provided documentation specifying the details of this coordination process or an estimated completion date. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.
Department of Housing and Urban Development
Priority Rec.
This is a priority recommendation.
16. The Secretary of Housing and Urban Developing should develop a cybersecurity risk management strategy that includes the key elements identified in this report. (Recommendation 16)
Open
The Department of Housing and Urban Development concurred with this recommendation. In February 2021, the department provided a risk management strategy that outlines roles and responsibilities and a risk review process. However, this document did not include details on the department's risk tolerance or how specifically it intends to assess, respond to, and monitor risk. We intend to work with HUD to ensure these areas are addressed in its strategy.
Department of Housing and Urban Development 17. The Secretary of Housing and Urban Developing should update the department's policies to require the use of risk assessments to inform POA&M prioritization. (Recommendation 17)
Closed - Implemented
The Department of Housing and Urban Development concurred with this recommendation and has taken steps to implement it. In March 2020, HUD updated its POA&M procedures to include a requirement that considerations of risk inform the prioritization of POA&Ms. Accordingly, we consider this recommendation to be implemented.
Department of the Interior
Priority Rec.
This is a priority recommendation.
18. The Secretary of the Interior should develop a cybersecurity risk management strategy that includes the key elements identified in this report. (Recommendation 18)
Closed - Implemented
The Department of the Interior concurred with this recommendation and has taken steps to implement it. In June 2020, the department issued its Interior Enterprise Cybersecurity Risk Management Plan, which forms the basis for and outlines the structure of the department's Enterprise Cybersecurity Risk Management Program. This plan includes the elements identified in our report, including a statement of risk tolerance and how the department intends to assess, respond to, and monitor risk. Accordingly, we consider this recommendation to be implemented.
Department of the Interior 19. The Secretary of the Interior should update the department's policies to require an organization-wide cybersecurity risk assessment. (Recommendation 19)
Closed - Implemented
The Department of the Interior concurred with this recommendation and has taken steps to implement it. In June 2020, the department issued its Enterprise Cybersecurity Risk Management Plan, which forms the basis for and outlines the structure of the Department of the Interior's Enterprise Cybersecurity Risk Management Program. This plan includes a provision for a department-wide assessment of cybersecurity risks. Specifically, the plan states that the Cyber Risk Office is responsible for aggregating risks from all levels, ensuring visibility at various levels of senior management. Accordingly, we consider this recommendation to be implemented.
Department of the Interior
Priority Rec.
This is a priority recommendation.
20. The Secretary of the Interior should establish and document a process for coordination between cybersecurity risk management and enterprise risk management functions. (Recommendation 20)
Open
The Department of the Interior concurred with this recommendation. As of March 2021, the department provided an updated risk management plan that outlined certain roles and responsibilities related to cybersecurity and enterprise risk management. However, it had not provided sufficient documentation of the process for coordination between these functions. We intend to work with the department to ensure these areas are addressed in its plan.
Department of Justice
Priority Rec.
This is a priority recommendation.
21. The Attorney General should develop a cybersecurity risk management strategy that includes the key elements identified in this report. (Recommendation 21)
Open
In its comments on our draft report, the Department of Justice did not state whether it concurred with this recommendation. As of March 2021, the department reported that it had an integrated strategy for identifying, prioritizing, assessing, responding to, monitoring, and reporting on cybersecurity risks, but had not yet provided sufficient evidence to demonstrate that its strategy addresses the key elements identified in our report. Once the department states that it has taken action, we plan to verify whether implementation has occurred.
Department of Justice
Priority Rec.
This is a priority recommendation.
22. The Attorney General should fully establish and document a process for coordination between cybersecurity risk management and enterprise risk management functions. (Recommendation 22)
Open
In its comments on our draft report, the Department of Justice did not state whether or not it concurred with this recommendation. As of March 2021, the department had stated that it is developing an ongoing mechanism to institutionalize coordination between its cybersecurity and ERM functions, but it had not provided sufficient documentation of this process. Once the department states that it has taken action, we plan to verify whether implementation has occurred.
Department of Labor 23. The Secretary of Labor should update the department's policies to require (1) the use of risk assessments to inform control tailoring and (2) the use of risk assessments to inform POA&M prioritization. (Recommendation 23)
Open
The Department of Labor concurred with this recommendation. As of March 2021, we had not received information pertaining to this recommendation. Once the department states that it has taken action, we plan to verify whether implementation has occurred.
Department of State 24. The Secretary of State should update the department's policies to require (1) an organization-wide risk assessment, (2) an organization-wide strategy for monitoring control effectiveness, (3) system-level risk assessments, (4) the use of risk assessments to inform security control tailoring, and (5) the use of risk assessments to inform POA&M prioritization. (Recommendation 24)
Open
The Department of State concurred with this recommendation. As of February 2021, the department stated that it is actively working to update the applicable policies and procedures and they are undergoing internal review. The department did not provide an estimated completion date for the review. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.
Department of State
Priority Rec.
This is a priority recommendation.
25. The Secretary of State should establish and document a process for coordination between cybersecurity risk management and enterprise risk management functions. (Recommendation 25)
Open
The Department of State concurred with this recommendation. As of February 2021, the department stated that it is actively working to update the applicable policies and procedures, and they are undergoing internal review. The department did not provide an estimated completion date for the review. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.
Department of Transportation
Priority Rec.
This is a priority recommendation.
26. The Secretary of Transportation should fully develop a cybersecurity risk management strategy that includes the key elements identified in this report. (Recommendation 26)
Open
The Department of Transportation concurred with this recommendation. As of March 2021, the department stated that it is working toward implementation of this recommendation and plans to provide an update to GAO by January 2022. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.
Department of Transportation 27. The Secretary of Transportation should update the department's policies to require an organization-wide risk assessment. (Recommendation 27)
Open
The Department of Transportation concurred with this recommendation. The department stated that it would update it policies and procedures to require an organization-wide cybersecurity risk assessment, but as of March 2021, it had not provided these updated policies and procedures or an estimated completion date. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.
Department of Transportation
Priority Rec.
This is a priority recommendation.
28. The Secretary of Transportation should fully establish and document a process for coordination between cybersecurity risk management and enterprise risk management functions. (Recommendation 28)
Closed - Implemented
In April 2020, in response to our recommendation, the department updates its Information Technology Risk Management standard operating procedure, which describes, among other things, how the department's Office of the Chief Information Officer is to coordinate with the office responsible for enterprise risk management (ERM) functions. This includes the incorporation of cybersecurity and privacy risks into the department's ERM process. Accordingly, senior leadership at Transportation responsible for ERM is in a better position to be fully aware of significant cybersecurity risks and, thus, positioned to address them in the context of other risks and their potential impacts on the mission of the agency.
Department of the Treasury
Priority Rec.
This is a priority recommendation.
29. The Secretary of the Treasury should develop a cybersecurity risk management strategy that includes the key elements identified in this report. (Recommendation 29)
Open
The Department of the Treasury did not state whether or not it concurred with this recommendation. As of March 2021, we had not received information pertaining to this recommendation. Once the department has provided information, we plan to verify whether implementation has occurred.
Department of the Treasury
Priority Rec.
This is a priority recommendation.
30. The Secretary of the Treasury should establish a process for conducting an organization-wide cybersecurity risk assessment. (Recommendation 30)
Open
The Department of the Treasury did not state whether or not it concurred with this recommendation. As of March 2021, we had not received information pertaining to this recommendation. Once the department has provided information, we plan to verify whether implementation has occurred.
Department of the Treasury 31. The Secretary of the Treasury should establish and document a process for coordination between cybersecurity risk management and enterprise risk management functions. (Recommendation 31)
Open
The Department of the Treasury did not state whether or not it concurred with this recommendation. As of March 2021, we had not received information pertaining to this recommendation. Once the department has provided information, we plan to verify whether implementation has occurred.
Department of Veterans Affairs
Priority Rec.
This is a priority recommendation.
32. The Secretary of Veterans Affairs should develop a cybersecurity risk management strategy that includes the key elements identified in this report. (Recommendation 32)
Open
The Department of Veterans Affairs concurred with this recommendation. The department stated that it plans to develop a comprehensive risk management strategy in accordance with its updated cybersecurity program directive and plans to finalize the strategy by June 30, 2020. However, as of March 2021, we had not received evidence of these actions or a revised estimated completion date. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.
Department of Veterans Affairs 33. The Secretary of Veterans Affairs should update the department's policies to require an organization-wide cybersecurity risk assessment. (Recommendation 33)
Open
The Department of Veterans Affairs concurred with this recommendation. VA stated that it plans to incorporate this requirement into its updated policies by June 30, 2020. However, as of March 2021, we had not received evidence of these actions or a revised estimated completion date. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.
Department of Veterans Affairs
Priority Rec.
This is a priority recommendation.
34. The Secretary of Veterans Affairs should establish a process for conducting an organization-wide cybersecurity risk assessment. (Recommendation 34)
Open
The Department of Veterans Affairs concurred with this recommendation. VA stated that it plans to fully document its process for an organization-wide cybersecurity risk assessment by June 30, 2020. However, as of March 2021, we had not received evidence of these actions or a revised estimated completion date. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.
Department of Veterans Affairs 35. The Secretary of Veterans Affairs should establish and document a process for coordination between cybersecurity risk management and enterprise risk management functions. (Recommendation 35)
Open
The Department of Veterans Affairs concurred with this recommendation. VA described efforts under way to institutionalize coordination between cybersecurity and enterprise risk management functions and stated that this coordination will be documented in detail by June 30, 2020. However, as of March 2021, we had not received evidence of these actions or a revised estimated completion date. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.
United States Agency for International Development 36. The Administrator of the United States Agency for International Development (USAID) should update the agency's policies to require (1) an organization-wide cybersecurity risk assessment and (2) the use of risk assessments to inform control tailoring. (Recommendation 36)
Closed - Implemented
USAID concurred with this recommendation and has taken steps to implement it. In December 2019, USAID provided its updated Risk Management Framework Handbook which (1) states that the agency's Chief Information Officer, Senior Agency Official for Privacy, and Chief Information Security Officer are to aggregate system assessments to develop enterprise/organizational risk assessment results to inform the risk management strategies and (2) outlines a process for control tailoring informed by risk considerations. Accordingly, we consider this recommendation to be closed and implemented.
United States Agency for International Development 37. The Administrator of USAID should establish a process for conducting an organization-wide cybersecurity risk assessment. (Recommendation 37)
Closed - Implemented
USAID concurred with this recommendation and has taken steps to implement it. In December 2019, USAID provided evidence that it had established a process for conducting an organization-wide cybersecurity risk assessment. Specifically, the agency developed a dashboard that aggregates cyber indicators for systems from organizations and sub-organizations across the agency. The status of these items are scored according to a standard formulary that allows the agency to provide a score at the system, bureau, and organization levels. These results are briefed to the CIO and allow the agency's CIO organization to prioritize resources as necessary to any problematic areas. Accordingly, we consider this recommendation to be closed and implemented.
Environmental Protection Agency
Priority Rec.
This is a priority recommendation.
38. The Administrator of the Environmental Protection Agency (EPA) should fully develop a cybersecurity risk management strategy that includes the key elements identified in this report. (Recommendation 38)
Open
The Environmental Protection Agency did not state whether or not it concurred with this recommendation. EPA stated that its strategic plans are under review beginning in the fourth quarter of fiscal year 2020. However, as of March 2021, we had not received evidence of these actions or an estimated completion date. Once the agency has provided evidence of these actions, we plan to verify whether implementation has occurred.
Environmental Protection Agency 39. The Administrator of EPA should update the agency's policies to require an organization-wide cybersecurity risk assessment. (Recommendation 39)
Open
The Environmental Protection Agency did not state whether or not it concurred with this recommendation. EPA stated that it is establishing a process to review, update, and reissue its policies. However, as of March 2021, we had not received evidence of these actions or an estimated completion date. Once the agency has provided evidence of these actions, we plan to verify whether implementation has occurred.
Environmental Protection Agency
Priority Rec.
This is a priority recommendation.
40. The Administrator of EPA should establish a process for conducting an organization-wide cybersecurity risk assessment. (Recommendation 40)
Open
The Environmental Protection Agency did not state whether or not it concurred with this recommendation. As of March 2021, we had not received information pertaining to this recommendation. Once the agency has provided evidence of these actions, we plan to verify whether implementation has occurred.
Environmental Protection Agency 41. The Administrator of EPA should fully establish and document a process for coordination between cybersecurity risk management and enterprise risk management functions. (Recommendation 41)
Open
The Environmental Protection Agency did not state whether or not it concurred with this recommendation. As of March 2021, we had not received information pertaining to this recommendation. Once the agency has provided evidence of these actions, we plan to verify whether implementation has occurred.
General Services Administration
Priority Rec.
This is a priority recommendation.
42. The Administrator of General Services should designate and document a risk executive function with responsibilities for organization-wide cybersecurity risk management. (Recommendation 42)
Closed - Implemented
The General Services Administration concurred with this recommendation and has taken steps to implement it. In June 2020, GSA updated its IT Risk Management Strategy, and the updated strategy designates and documents the agency's risk executive function. Specifically, it states that the risk executive function at GSA is handled by the Enterprise Management Board (EMB), chaired by the Deputy Administrator who is also the Senior Agency Official for Risk Management. Further, For cybersecurity risks, the Chief Information Security Officer (CISO), Authorizing Officials, and subject matter experts facilitate the consistent application of risk management across GSA. The CISO coordinates with the Chief Information Officer, a member of the EMB, to identify cybersecurity risks for consideration by the EMB. Accordingly, we consider this recommendation to be implemented.
General Services Administration 43. The Administrator of General Services should update the agency's policies to require an organization-wide cybersecurity risk assessment. (Recommendation 43)
Closed - Implemented
The General Services Administration concurred with this recommendation and has taken steps to implement it. GSA's updated IT security policy requires an organization-wide cybersecurity risk assessment. Specifically, policy states that the risk executive function is responsible for, among other things, determining organizational risk based on the aggregated risk from the operation and use of information systems and the respective environments of operation. Accordingly, we consider this recommendation to be implemented.
General Services Administration
Priority Rec.
This is a priority recommendation.
44. The Administrator of General Services should establish a process for conducting an organization-wide cybersecurity risk assessment. (Recommendation 44)
Closed - Implemented
The General Services Administration concurred with this recommendation and has taken steps to implement it. GSA provided evidence of a process for aggregating system-level risks and communicating them to the enterprise level. These risks are communicated via regular reports to officials throughout the Agency, including the GSA Administrator. Further, the agency's Enterprise Executive Risk Subcommittee identifies and monitors agency-wide risks facing GSA, coordinating with risk owners to engage with the GSA Enterprise Management Board in risk mitigation and elimination. Accordingly, we consider this recommendation to be implemented.
General Services Administration 45. The Administrator of General Services should fully establish and document a process for coordination between cybersecurity risk management and enterprise risk management functions. (Recommendation 45)
Closed - Implemented
The General Services Administration concurred with this recommendation and has taken steps to implement it. In June 2020, GSA updated its IT Risk Management Strategy, which includes a process for coordination between cybersecurity risk management and enterprise risk management functions. Specifically, it states that Enterprise Management Board (EMB), chaired by the Deputy Administrator who is also the Senior Agency Official for Risk Management, is responsible for managing and monitoring key organizational risks. Further, the agency's Chief Information Security Officer coordinates with the Chief Information Officer, a member of the EMB, to identify cybersecurity risks for consideration by the EMB. Accordingly, we consider this recommendation to be implemented.
National Aeronautics and Space Administration 46. The Administrator of the National Aeronautics and Space Administration (NASA) should update the agency's policies to require (1) an organization-wide risk assessment and (2) the use of risk assessments to inform POA&M prioritization. (Recommendation 46)
Open
NASA concurred with this recommendation. The agency stated that it is working to address gaps in its cybersecurity policy, but as of March 2021 it had not provided evidence of an updated policy or an estimated completion date. Once NASA has provided evidence of these actions, we plan to verify whether implementation has occurred.
National Aeronautics and Space Administration
Priority Rec.
This is a priority recommendation.
47. The Administrator of NASA should establish a process for conducting an organization-wide cybersecurity risk assessment. (Recommendation 47)
Open
NASA concurred with this recommendation. NASA stated that the agency was in the process of documenting its process for conducting an organization-wide cybersecurity risk assessment, but as of March 2021 it had not provided evidence of this process or an estimated completion date. Once NASA has provided evidence of these actions, we plan to verify whether implementation has occurred.
National Science Foundation 48. The Director of the National Science Foundation should fully develop a cybersecurity risk management strategy that includes the key elements identified in this report. (Recommendation 48)
Closed - Implemented
NSF concurred with this recommendation and has taken steps to implement it. In December 2019, NSF provided an updated IT Security and Privacy Risk Management Strategy and an updated Information Security and Privacy Continuous Monitoring Program policy. After reviewing these documents, we determined that NSF's updated strategy includes the key elements identified in our report, including a statement of risk tolerance and how the agency intends to assess and monitor risk. Accordingly, we consider this recommendation to be closed and implemented.
Nuclear Regulatory Commission
Priority Rec.
This is a priority recommendation.
49. The Chairman of the Nuclear Regulatory Commission (NRC) should develop a cybersecurity risk management strategy that includes the key elements identified in this report. (Recommendation 49)
Closed - Implemented
NRC concurred with this recommendation and has taken steps to implement it. In September 2020, NRC issued its Risk Management Strategy, which addresses the key elements identified in our report. Specifically, the strategy includes a statement of the agency's risk tolerance and descriptions of how it intends to assess, respond to, and monitor cyber risks. Accordingly, we consider this recommendation to be implemented.
Nuclear Regulatory Commission 50. The Chairman of NRC should update the agency's policies to require (1) an organization-wide cybersecurity risk assessment and (2) the use of risk assessments to inform POA&M prioritization. (Recommendation 50)
Closed - Implemented
NRC concurred with this recommendation. In January 2021, NRC provided evidence to show that its updated policies incorporate these two elements. Specifically, its updated policies require an organization-wide risk assessment and the prioritization of POA&Ms based on an assessment of risk. Accordingly, we consider this recommendation to be implemented.
Nuclear Regulatory Commission 51. The Chairman of NRC should establish a process for conducting an organization-wide cybersecurity risk assessment. (Recommendation 51)
Closed - Implemented
NRC concurred with this recommendation and has taken steps to implement it. Specifically, NRC officials provided documentation showing that the agency had developed a process for an organization-wide cybersecurity risk assessment. The process includes an aggregation of security-related indicators from across the organization and provides an assessment or scoring for each NRC office or region. The assessment is available through an agency dashboard, which displays progress against an agency-developed metric, as well as the quantified risk associated with each office and region. Accordingly, we consider this recommendation closed and implemented.
Nuclear Regulatory Commission 52. The Chairman of NRC should establish and document a process for coordination between cybersecurity risk management and enterprise risk management functions. (Recommendation 52)
Closed - Implemented
NRC concurred with this recommendation. NRC provided evidence that it established such a process. Specifically, the agency's Enterprise Risk Management Council (ERMC) is responsible for organization-wide efforts to manage risk and advises on the strategically aligned portfolio view of risks for the agency and serves as a strategic advisor on the integration of enterprise risk management practices into the daily business operations and decision-making. The ERMC is advised of all enterprise level risks, including cyber risk, and its membership includes the Chief Risk Officer and Chief Information Officer, among others. Accordingly, we consider this recommendation to be implemented.
Office of Personnel Management 53. The Director of the Office of Personnel Management (OPM) should update the agency's policies to require (1) an organization-wide cybersecurity risk assessment and (2) the use of risk assessments to inform control tailoring. (Recommendation 53)
Open
OPM concurred with this recommendation and stated that it planned to update its policies to address the missing elements. As of March 2021, the agency had not provided evidence of its updated policies or an estimated completion date. Once OPM has provided evidence of these actions, we plan to verify whether implementation has occurred.
Office of Personnel Management
Priority Rec.
This is a priority recommendation.
54. The Director of OPM should establish a process for conducting an organization-wide cybersecurity risk assessment. (Recommendation 54)
Open
OPM concurred with this recommendation. In January2021, the agency stated that its initial plans to implement the recommendation were delayed due to resource challenges and that it plans to revisit this effort in the second quarter of FY 2021. Once the agency has provided evidence of these actions, we plan to verify whether implementation has occurred.
Small Business Administration 55. The Administrator of the Small Business Administration (SBA) should fully develop a cybersecurity risk management strategy that includes the key elements identified in this report. (Recommendation 55)
Closed - Implemented
SBA concurred with this recommendation and has taken steps to implement it. In March 2020, SBA provided its updated risk management framework implementation procedures. These procedures address the missing elements, such as a statement of risk tolerance and acceptable risk response strategies. Accordingly, we consider this recommendation closed and implemented.
Small Business Administration 56. The Administrator of SBA should update the agency's policies to require (1) an organization-wide cybersecurity risk assessment and (2) the use of risk assessments to inform POA&M prioritization. (Recommendation 56)
Closed - Implemented
In March 2020, in response to our recommendation, SBA updated its Risk Management Framework implementation procedures to require an organization-wide cybersecurity risk assessment and the use of risk assessments to inform POA&M prioritization. Accordingly, SBA has taken the foundational steps needed to effectively identify and prioritize activities to mitigate cybersecurity risks that could result in the loss of sensitive data or compromise of agency systems.
Small Business Administration
Priority Rec.
This is a priority recommendation.
57. The Administrator of SBA should establish a process for conducting an organization-wide cybersecurity risk assessment. (Recommendation 57)
Closed - Implemented
SBA concurred with this recommendation and has taken steps to implement it. Specifically, the agency developed a process for an organization-wide cybersecurity risk assessment that includes aggregating risks from various internal and external data sources, scoring them according a defined risk assessment methodology, and identifying key agency-wide risks which are reported to agency leadership along with recommended actions for remediation. Accordingly, we consider this recommendation to be implemented.
Social Security Administration
Priority Rec.
This is a priority recommendation.
58. The Commissioner of the Social Security Administration should fully establish and document a process for coordination between cybersecurity risk management and enterprise risk management functions. (Recommendation 58)
Open
SSA concurred with this recommendation. SSA stated that it has initiated a formal process for coordination between its cybersecurity risk management and enterprise risk management teams, but as of March 2021, the agency had not provided sufficient documentation of this process or an estimated completion date. Once SSA has provided evidence of these actions, we plan to verify whether implementation has occurred.

Full Report

GAO Contacts