Cybersecurity:

Agencies Need to Fully Establish Risk Management Programs and Address Challenges

GAO-19-384: Published: Jul 25, 2019. Publicly Released: Jul 25, 2019.

Multimedia:

Additional Materials:

Contact:

Nick Marinos
(202) 512-9342
marinosn@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

To protect against cyber threats, federal agencies should incorporate key practices in their cybersecurity risk management programs.

These key practices include:

Designating a cybersecurity risk executive

Developing a risk management strategy and policies

Assessing cyber risks

Coordinating between cybersecurity and enterprise-wide risk management functions

All but one of the 23 agencies we reviewed designated a risk executive. However, none of these agencies fully incorporated the other key practices into their programs.

We made 58 recommendations to federal agencies to help improve their cybersecurity risk management programs.

code

code

Multimedia:

Additional Materials:

Contact:

Nick Marinos
(202) 512-9342
marinosn@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

What GAO Found

Key practices for establishing an agency-wide cybersecurity risk management program include designating a cybersecurity risk executive, developing a risk management strategy and policies to facilitate risk-based decisions, assessing cyber risks to the agency, and establishing coordination with the agency's enterprise risk management (ERM) program. Although the 23 agencies GAO reviewed almost always designated a risk executive, they often did not fully incorporate other key practices in their programs:

Twenty-two agencies established the role of cybersecurity risk executive, to provide agency-wide management and oversight of risk management.

Sixteen agencies have not fully established a cybersecurity risk management strategy to delineate the boundaries for risk-based decisions.

Seventeen agencies have not fully established agency- and system-level policies for assessing, responding to, and monitoring risk.

Eleven agencies have not fully established a process for assessing agency-wide cybersecurity risks based on an aggregation of system-level risks.

Thirteen agencies have not fully established a process for coordinating between their cybersecurity and ERM programs for managing all major risks.

Until they address these practices, agencies will face an increased risk of cyber-based incidents that threaten national security and personal privacy.

Agencies identified multiple challenges in establishing and implementing cybersecurity risk management programs (see table).

Agency Challenges in Establishing Cybersecurity Risk Management Programs

Challenge

Agencies reporting challenge

Hiring and retaining key cybersecurity management personnel

23

Managing competing priorities between operations and cybersecurity

19

Establishing and implementing consistent policies and procedures

18

Establishing and implementing standardized technology capabilities

18

Receiving quality risk data

18

Using federal cybersecurity risk management guidance

16

Developing an agency-wide risk management strategy

15

Incorporating cyber risks into enterprise risk management

14

Source: GAO analysis of agency data. | GAO-19-384

In response to a May 2017 executive order, the Office of Management and Budget (OMB) and Department of Homeland Security (DHS) identified areas for improvement in agencies' capabilities for managing cyber risks. Further, they have initiatives under way that should help address four of the challenges identified by agencies—hiring and retention, standardizing capabilities, receiving quality risk data, and using guidance. However, OMB and DHS did not establish initiatives to address the other challenges on managing conflicting priorities, establishing and implementing consistent policies, developing risk management strategies, and incorporating cyber risks into ERM. Without additional guidance or assistance to mitigate these challenges, agencies will likely continue to be hindered in managing cybersecurity risks.

Why GAO Did This Study

Federal agencies face a growing number of cyber threats to their systems and data. To protect against these threats, federal law and policies emphasize that agencies take a risk-based approach to cybersecurity by effectively identifying, prioritizing, and managing their cyber risks. In addition, OMB and DHS play important roles in overseeing and supporting agencies' cybersecurity risk management efforts.

GAO was asked to review federal agencies' cybersecurity risk management programs. GAO examined (1) the extent to which agencies established key elements of a cybersecurity risk management program; (2) what challenges, if any, agencies identified in developing and implementing cybersecurity risk management programs; and (3) steps OMB and DHS have taken to meet their risk management responsibilities and address any challenges agencies face. To do this, GAO reviewed policies and procedures from 23 civilian Chief Financial Officers Act of 1990 agencies and compared them to key federal cybersecurity risk management practices, obtained agencies' views on challenges they faced, identified and analyzed actions taken by OMB and DHS to determine whether they address agency challenges, and interviewed responsible agency officials.

What GAO Recommends

GAO is making 57 recommendations to the 23 agencies and one to OMB, in coordination with DHS, to assist agencies in addressing challenges. Seventeen agencies agreed with the recommendations, one partially agreed, and four, including OMB, did not state whether they agreed or disagreed. GAO continues to believe all its recommendations are warranted.

For more information, contact Nick Marinos at (202) 512-9342 or marinosn@gao.gov.

Recommendations for Executive Action

  1. Status: Open

    Comments: The Office of Management and Budget did not say whether or not it concurred with this recommendation. As of January 2020, we had not received information pertaining to this recommendation. Once OMB has provided information, we plan to verify whether implementation has occurred.

    Recommendation: The Director of OMB should, in coordination with the Secretary of Homeland Security, establish guidance or other means to facilitate the sharing of successful approaches for agencies to address challenges in the areas of (1) managing competing priorities between cybersecurity and operations, such as when operational needs appear to conflict with cybersecurity requirements; (2) implementing consistent cybersecurity risk management policies and procedures across an agency; (3) incorporating cyber risks into enterprise risk management, and (4) establishing agencies' cybersecurity risk management strategies. (Recommendation 1)

    Agency Affected: Executive Office of the President: Office of Management and Budget

  2. Status: Open

    Priority recommendation

    Comments: The Department of Agriculture did not state whether or not it concurred with this recommendation. As of February 2020, the department stated that it is developing a Risk Management Framework implementation plan, which is to include a comprehensive Cybersecurity Strategy. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.

    Recommendation: The Secretary of Agriculture should develop a cybersecurity risk management strategy that includes the key elements identified in this report. (Recommendation 2)

    Agency Affected: Department of Agriculture

  3. Status: Open

    Comments: The Department of Agriculture did not state whether or not it concurred with this recommendation. As of February 2020, the department stated that it is developing a Risk Management Framework implementation plan which will include updates to USDA's process guide to ensure informed security control tailoring and updates to USDA's Plan of Actions and Milestones (POA&M) Standard Operation Procedure to inform prioritized POA&M mitigation strategies, through a consistent and repeatable security risk assessment process. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.

    Recommendation: The Secretary of Agriculture should update the department's policies to require (1) the use of risk assessments to inform security control tailoring and (2) the use of risk assessments to inform plan of actions and milestones (POA&M) prioritization. (Recommendation 3)

    Agency Affected: Department of Agriculture

  4. Status: Open

    Priority recommendation

    Comments: The Department of Agriculture did not state whether or not it concurred with this recommendation. As of February 2020, the department stated that it plans to establish a governance framework for USDA Enterprise Risk Management (ERM), which will provide a platform to increase coordination between stakeholders within the cybersecurity and enterprise risk management functions. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.

    Recommendation: The Secretary of Agriculture should establish and document a process for coordination between cybersecurity risk management and enterprise risk management functions. (Recommendation 4)

    Agency Affected: Department of Agriculture

  5. Status: Open

    Comments: The Department of Commerce did not state whether or not it concurred with this recommendation. As of January 2020, we had not received information pertaining to planned actions for this recommendation. Once the department states that it has taken action, we plan to verify whether implementation has occurred.

    Recommendation: The Secretary of Commerce should update the department's policies to require (1) an organization-wide cybersecurity risk assessment and (2) the use of risk assessments to inform POA&M prioritization. (Recommendation 5)

    Agency Affected: Department of Commerce

  6. Status: Open

    Priority recommendation

    Comments: The Department of Commerce did not state whether or not it concurred with this recommendation. As of February 2020, the department stated that its intends to evaluate whether there are any gaps in its cybersecurity policy pertaining to the establishment of an organization-wide cybersecurity risk assessment and will establish a plan to fill in gaps as necessary. The department added that it is making strides in the implementation of a tool that can aggregate data into a dashboard for a unified visibility across the department. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.

    Recommendation: The Secretary of Commerce should establish a process for conducting an organization-wide cybersecurity risk assessment. (Recommendation 6)

    Agency Affected: Department of Commerce

  7. Status: Closed - Implemented

    Priority recommendation

    Comments: In April 2020, in response to our recommendation, Education updated its cyber risk management framework to address the missing elements identified in our report. The framework now includes a statement of risk tolerance and acceptable risk response strategies. As a result, Education now has a better organization-wide understanding of acceptable risk levels and appropriate risk response strategies to protect their systems and data.

    Recommendation: The Secretary of Education should fully develop a cybersecurity risk management strategy that includes the key elements identified in this report. (Recommendation 7)

    Agency Affected: Department of Education

  8. Status: Open

    Priority recommendation

    Comments: The Department of Energy concurred with this recommendation. As of January 2020, the department stated that it was developing a department-wide risk management plan, to include a risk management strategy, and this would be completed by May 31, 2020. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.

    Recommendation: The Secretary of Energy should develop a cybersecurity risk management strategy that includes the key elements identified in this report. (Recommendation 8)

    Agency Affected: Department of Energy

  9. Status: Closed - Implemented

    Comments: The Department of Energy concurred with this recommendation and has taken steps to implement it. In February 2020, the department sent us its updated policy governing its cybersecurity program. This policy addresses the missing elements by requiring an organization-wide cybersecurity risk assessment and addressing the identification of common controls. Accordingly, we consider this recommendation to be implemented.

    Recommendation: The Secretary of Energy should update the department's policies to require (1) an organization-wide cybersecurity risk assessment and (2) the identification of common controls. (Recommendation 9)

    Agency Affected: Department of Energy

  10. Status: Open

    Priority recommendation

    Comments: The Department of Health and Human Services concurred with this recommendation. As of January 2020, HHS stated that it is drafting a cybersecurity risk management memo that will detail its risk management strategy, including how the department will assess, respond to, and monitor risk. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.

    Recommendation: The Secretary of Health and Human Services should develop a cybersecurity risk management strategy that includes the key elements identified in this report. (Recommendation 10)

    Agency Affected: Department of Health and Human Services

  11. Status: Open

    Comments: The Department of Health and Human Services partially concurred with this recommendation. As of January 2020, HHS stated that it is in the process of updating its policies to address the missing elements and plans to finalize the revisions by March 2021. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.

    Recommendation: The Secretary of Health and Human Services should update the department's policies to require (1) an organization-wide cybersecurity risk assessment and (2) the use of risk assessments to inform security control tailoring. (Recommendation 11)

    Agency Affected: Department of Health and Human Services

  12. Status: Open

    Priority recommendation

    Comments: The Department of Health and Human Services concurred with this recommendation. As of January 2020, HHS stated that it is drafting a cybersecurity risk management memo and capability model that will include a process for an organization-wide assessment of cybersecurity risk. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.

    Recommendation: The Secretary of Health and Human Services should establish a process for conducting an organization-wide cybersecurity risk assessment. (Recommendation 12)

    Agency Affected: Department of Health and Human Services

  13. Status: Closed - Implemented

    Comments: The Department of Health and Human Services concurred with this recommendation and has taken steps to implement it. In February 2020, HHS provided evidence to show that it has established a process for coordination between its cybersecurity risk management and enterprise risk management (ERM) functions. Specifically, the department established an Enterprise Risk Management Council to oversee and coordinate the implementation of ERM, in which the department's Chief Information Security Officer (CISO) was added as a voting member in order to provide perspectives on information security and privacy. Additionally, both the CISO and Chief Information Officer (CIO) attend meetings of the ERM council. Accordingly, we consider this recommendation implemented.

    Recommendation: The Secretary of Health and Human Services should establish and document a process for coordination between cybersecurity risk management and enterprise risk management functions. (Recommendation 13)

    Agency Affected: Department of Health and Human Services

  14. Status: Open

    Priority recommendation

    Comments: The Department of Homeland Security concurred with this recommendation. As of January 2020, the department stated that it was in the process of developing an enterprise-wide Cybersecurity Risk Management Strategy that will define cybersecurity risk tolerance thresholds and promote inclusion of cybersecurity risk management into the Department's overall risk management capabilities. The estimated completion date for this effort is July 31, 2020. Once the department states that it has taken action, we plan to verify whether implementation has occurred.

    Recommendation: The Secretary of Homeland Security should develop a cybersecurity risk management strategy that includes the key elements identified in this report. (Recommendation 14)

    Agency Affected: Department of Homeland Security

  15. Status: Open

    Priority recommendation

    Comments: The Department of Homeland Security concurred with this recommendation. As of January 2020, the department stated that, once developed, its Cybersecurity Risk Management Strategy will incorporate clarifications of the cybersecurity risk executive's role and will be coordinated with the DHS Office of the Chief Financial Officer, other offices within the DHS Management Directorate, and Department Components, as appropriate. The department estimated completing this effort by July 31, 2020. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.

    Recommendation: The Secretary of Homeland Security should establish and document a process for coordination between cybersecurity risk management and enterprise risk management functions. (Recommendation 15)

    Agency Affected: Department of Homeland Security

  16. Status: Open

    Priority recommendation

    Comments: The Department of Housing and Urban Development concurred with this recommendation. As of January 2020, the department said it planned to develop a cybersecurity risk management strategy that will determine how cybersecurity risks will be identified, framed, assessed, respond to, and monitored. The Department estimated completing this effort by August 2020. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.

    Recommendation: The Secretary of Housing and Urban Developing should develop a cybersecurity risk management strategy that includes the key elements identified in this report. (Recommendation 16)

    Agency Affected: Department of Housing and Urban Development

  17. Status: Open

    Comments: The Department of Housing and Urban Development concurred with this recommendation. As of January 2020, the department stated that it planned to either update an existing policy/process document or develop a new policy/process document that will incorporate the cybersecurity risk management strategy and the impact it will have on the POA&M process, to include updated assessment and prioritization requirements. The Department estimated completing this effort by August 2020. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.

    Recommendation: The Secretary of Housing and Urban Developing should update the department's policies to require the use of risk assessments to inform POA&M prioritization. (Recommendation 17)

    Agency Affected: Department of Housing and Urban Development

  18. Status: Open

    Priority recommendation

    Comments: The Department of the Interior concurred with this recommendation. As of January 2020, the department stated that it planned to develop a cybersecurity risk management strategy that includes the key elements. The Department estimated completing this effort by July 31, 2020. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.

    Recommendation: The Secretary of the Interior should develop a cybersecurity risk management strategy that includes the key elements identified in this report. (Recommendation 18)

    Agency Affected: Department of the Interior

  19. Status: Open

    Comments: The Department of the Interior concurred with this recommendation. As of January 2020, the department stated that it would create a cybersecurity risk management strategy that reflects a process for aggregating and evaluating agency-wide risks. The Department estimated completing this effort by July 31, 2020. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.

    Recommendation: The Secretary of the Interior should update the department's policies to require an organization-wide cybersecurity risk assessment. (Recommendation 19)

    Agency Affected: Department of the Interior

  20. Status: Open

    Priority recommendation

    Comments: The Department of the Interior concurred with this recommendation. As of January 2020, the department stated that it cybersecurity and enterprise risk management teams would establish a process for bi-directional communication and status reporting. The Department estimated completing this effort by July 31, 2020. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.

    Recommendation: The Secretary of the Interior should establish and document a process for coordination between cybersecurity risk management and enterprise risk management functions. (Recommendation 20)

    Agency Affected: Department of the Interior

  21. Status: Open

    Priority recommendation

    Comments: In its comments on our draft report, the Department of Justice did not state whether it concurred with this recommendation. As of January 2020, . the department reported that it had an integrated strategy for identifying, prioritizing, assessing, responding to, monitoring, and reporting on cybersecurity risks. Once the department states that it has taken action, we plan to verify whether implementation has occurred.

    Recommendation: The Attorney General should develop a cybersecurity risk management strategy that includes the key elements identified in this report. (Recommendation 21)

    Agency Affected: Department of Justice

  22. Status: Open

    Priority recommendation

    Comments: In its comments on our draft report, the Department of Justice did not state whether or not it concurred with this recommendation. As of January 2020, the department stated that it is developing an ongoing mechanism to institutionalize coordination between its cybersecurity and ERM functions in fiscal year 2020. Once the department states that it has taken action, we plan to verify whether implementation has occurred.

    Recommendation: The Attorney General should fully establish and document a process for coordination between cybersecurity risk management and enterprise risk management functions. (Recommendation 22)

    Agency Affected: Department of Justice

  23. Status: Open

    Comments: The Department of Labor concurred with this recommendation. As of January 2020, we had not received information pertaining to this recommendation. Once the department states that it has taken action, we plan to verify whether implementation has occurred.

    Recommendation: The Secretary of Labor should update the department's policies to require (1) the use of risk assessments to inform control tailoring and (2) the use of risk assessments to inform POA&M prioritization. (Recommendation 23)

    Agency Affected: Department of Labor

  24. Status: Open

    Comments: The Department of State concurred with this recommendation. As of January 2020, the department stated that it is actively working to update the applicable policies and procedures. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.

    Recommendation: The Secretary of State should update the department's policies to require (1) an organization-wide risk assessment, (2) an organization-wide strategy for monitoring control effectiveness, (3) system-level risk assessments, (4) the use of risk assessments to inform security control tailoring, and (5) the use of risk assessments to inform POA&M prioritization. (Recommendation 24)

    Agency Affected: Department of State

  25. Status: Open

    Priority recommendation

    Comments: The Department of State concurred with this recommendation. As of January 2020, the department stated that it is actively working to update the applicable policies and procedures. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.

    Recommendation: The Secretary of State should establish and document a process for coordination between cybersecurity risk management and enterprise risk management functions. (Recommendation 25)

    Agency Affected: Department of State

  26. Status: Open

    Priority recommendation

    Comments: The Department of Transportation concurred with this recommendation. As of January 2020, the department stated that it would update its cybersecurity risk management strategy to include the identified missing elements. The Department estimated completing this effort by October 1, 2020. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.

    Recommendation: The Secretary of Transportation should fully develop a cybersecurity risk management strategy that includes the key elements identified in this report. (Recommendation 26)

    Agency Affected: Department of Transportation

  27. Status: Open

    Comments: The Department of Transportation concurred with this recommendation. As of January 2020, the department stated that it would update it policies and procedures to require an organization-wide cybersecurity risk assessment. The Department estimated completing this effort by July 1, 2020. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.

    Recommendation: The Secretary of Transportation should update the department's policies to require an organization-wide risk assessment. (Recommendation 27)

    Agency Affected: Department of Transportation

  28. Status: Closed - Implemented

    Priority recommendation

    Comments: In April 2020, in response to our recommendation, the department updates its Information Technology Risk Management standard operating procedure, which describes, among other things, how the department's Office of the Chief Information Officer is to coordinate with the office responsible for enterprise risk management (ERM) functions. This includes the incorporation of cybersecurity and privacy risks into the department's ERM process. Accordingly, senior leadership at Transportation responsible for ERM is in a better position to be fully aware of significant cybersecurity risks and, thus, positioned to address them in the context of other risks and their potential impacts on the mission of the agency.

    Recommendation: The Secretary of Transportation should fully establish and document a process for coordination between cybersecurity risk management and enterprise risk management functions. (Recommendation 28)

    Agency Affected: Department of Transportation

  29. Status: Open

    Priority recommendation

    Comments: The Department of the Treasury did not state whether or not it concurred with this recommendation. As of January 2020, we had not received information pertaining to this recommendation. Once the department has provided information, we plan to verify whether implementation has occurred.

    Recommendation: The Secretary of the Treasury should develop a cybersecurity risk management strategy that includes the key elements identified in this report. (Recommendation 29)

    Agency Affected: Department of the Treasury

  30. Status: Open

    Priority recommendation

    Comments: The Department of the Treasury did not state whether or not it concurred with this recommendation. As of January 2020, we had not received information pertaining to this recommendation. Once the department has provided information, we plan to verify whether implementation has occurred.

    Recommendation: The Secretary of the Treasury should establish a process for conducting an organization-wide cybersecurity risk assessment. (Recommendation 30)

    Agency Affected: Department of the Treasury

  31. Status: Open

    Comments: The Department of the Treasury did not state whether or not it concurred with this recommendation. As of January 2020, we had not received information pertaining to this recommendation. Once the department has provided information, we plan to verify whether implementation has occurred.

    Recommendation: The Secretary of the Treasury should establish and document a process for coordination between cybersecurity risk management and enterprise risk management functions. (Recommendation 31)

    Agency Affected: Department of the Treasury

  32. Status: Open

    Priority recommendation

    Comments: The Department of Veterans Affairs concurred with this recommendation. As of January 2020, the department stated that it plans to develop a comprehensive risk management strategy in accordance with its updated cybersecurity program directive and plans to finalize the strategy by June 30, 2020. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.

    Recommendation: The Secretary of Veterans Affairs should develop a cybersecurity risk management strategy that includes the key elements identified in this report. (Recommendation 32)

    Agency Affected: Department of Veterans Affairs

  33. Status: Open

    Comments: The Department of Veterans Affairs concurred with this recommendation. As of January 2020, VA stated that it plans to incorporate this requirement into its updated policies by June 30, 2020. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.

    Recommendation: The Secretary of Veterans Affairs should update the department's policies to require an organization-wide cybersecurity risk assessment. (Recommendation 33)

    Agency Affected: Department of Veterans Affairs

  34. Status: Open

    Priority recommendation

    Comments: The Department of Veterans Affairs concurred with this recommendation. As of January 2020, VA stated that it plans to fully document its process for an organization-wide cybersecurity risk assessment by June 30, 2020. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.

    Recommendation: The Secretary of Veterans Affairs should establish a process for conducting an organization-wide cybersecurity risk assessment. (Recommendation 34)

    Agency Affected: Department of Veterans Affairs

  35. Status: Open

    Comments: The Department of Veterans Affairs concurred with this recommendation. As of January 2020, VA described efforts under way to institutionalize coordination between cybersecurity and enterprise risk management functions and stated that this coordination will be documented in detail by June 30, 2020. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.

    Recommendation: The Secretary of Veterans Affairs should establish and document a process for coordination between cybersecurity risk management and enterprise risk management functions. (Recommendation 35)

    Agency Affected: Department of Veterans Affairs

  36. Status: Closed - Implemented

    Comments: USAID concurred with this recommendation and has taken steps to implement it. In December 2019, USAID provided its updated Risk Management Framework Handbook which (1) states that the agency's Chief Information Officer, Senior Agency Official for Privacy, and Chief Information Security Officer are to aggregate system assessments to develop enterprise/organizational risk assessment results to inform the risk management strategies and (2) outlines a process for control tailoring informed by risk considerations. Accordingly, we consider this recommendation to be closed and implemented.

    Recommendation: The Administrator of the United States Agency for International Development (USAID) should update the agency's policies to require (1) an organization-wide cybersecurity risk assessment and (2) the use of risk assessments to inform control tailoring. (Recommendation 36)

    Agency Affected: United States Agency for International Development

  37. Status: Closed - Implemented

    Comments: USAID concurred with this recommendation and has taken steps to implement it. In December 2019, USAID provided evidence that it had established a process for conducting an organization-wide cybersecurity risk assessment. Specifically, the agency developed a dashboard that aggregates cyber indicators for systems from organizations and sub-organizations across the agency. The status of these items are scored according to a standard formulary that allows the agency to provide a score at the system, bureau, and organization levels. These results are briefed to the CIO and allow the agency's CIO organization to prioritize resources as necessary to any problematic areas. Accordingly, we consider this recommendation to be closed and implemented.

    Recommendation: The Administrator of USAID should establish a process for conducting an organization-wide cybersecurity risk assessment. (Recommendation 37)

    Agency Affected: United States Agency for International Development

  38. Status: Open

    Priority recommendation

    Comments: The Environmental Protection Agency did not state whether or not it concurred with this recommendation. As of January 2020, EPA stated that its strategic plans are under review beginning in the fourth quarter of fiscal year 2020. Once the agency has provided evidence of these actions, we plan to verify whether implementation has occurred.

    Recommendation: The Administrator of the Environmental Protection Agency (EPA) should fully develop a cybersecurity risk management strategy that includes the key elements identified in this report. (Recommendation 38)

    Agency Affected: Environmental Protection Agency

  39. Status: Open

    Comments: The Environmental Protection Agency did not state whether or not it concurred with this recommendation. As of January 2020, EPA stated that it is establishing a process to review, update, and reissue its policies. Once the agency has provided evidence of these actions, we plan to verify whether implementation has occurred.

    Recommendation: The Administrator of EPA should update the agency's policies to require an organization-wide cybersecurity risk assessment. (Recommendation 39)

    Agency Affected: Environmental Protection Agency

  40. Status: Open

    Priority recommendation

    Comments: The Environmental Protection Agency did not state whether or not it concurred with this recommendation. As of January 2020, we had not received information pertaining to this recommendation. Once the agency has provided evidence of these actions, we plan to verify whether implementation has occurred.

    Recommendation: The Administrator of EPA should establish a process for conducting an organization-wide cybersecurity risk assessment. (Recommendation 40)

    Agency Affected: Environmental Protection Agency

  41. Status: Open

    Comments: The Environmental Protection Agency did not state whether or not it concurred with this recommendation. As of January 2020, we had not received information pertaining to this recommendation. Once the agency has provided evidence of these actions, we plan to verify whether implementation has occurred.

    Recommendation: The Administrator of EPA should fully establish and document a process for coordination between cybersecurity risk management and enterprise risk management functions. (Recommendation 41)

    Agency Affected: Environmental Protection Agency

  42. Status: Open

    Priority recommendation

    Comments: The General Services Administration concurred with this recommendation. As of January 2020, the agency stated that it planned to update it policies to document the designation of the risk executive function and its responsibilities for agency-wide cybersecurity risk management. The administration estimated completing this effort by June 30, 2020. Once the administration has provided evidence of these actions, we plan to verify whether implementation has occurred.

    Recommendation: The Administrator of General Services should designate and document a risk executive function with responsibilities for organization-wide cybersecurity risk management. (Recommendation 42)

    Agency Affected: General Services Administration

  43. Status: Open

    Comments: The General Services Administration concurred with this recommendation. As of January 2020, the agency stated that it would update its policies to require an organization-wide assessment. The administration estimated completing this effort by June 30, 2020. Once the administration has provided evidence of these actions, we plan to verify whether implementation has occurred.

    Recommendation: The Administrator of General Services should update the agency's policies to require an organization-wide cybersecurity risk assessment. (Recommendation 43)

    Agency Affected: General Services Administration

  44. Status: Open

    Priority recommendation

    Comments: The General Services Administration concurred with this recommendation. As of January 2020, the agency stated that it would establish a process for conducting an organization-wide cybersecurity risk assessment. The administration estimated completing this effort by June 30, 2020. Once the administration has provided evidence of these actions, we plan to verify whether implementation has occurred.

    Recommendation: The Administrator of General Services should establish a process for conducting an organization-wide cybersecurity risk assessment. (Recommendation 44)

    Agency Affected: General Services Administration

  45. Status: Open

    Comments: The General Services Administration concurred with this recommendation. As of January 2020, the agency stated that it will amend its investment review board charted to include a process for coordination between enterprise risk management and cybersecurity risk management. The administration estimated completing this effort by June 30, 2020. Once the administration has provided evidence of these actions, we plan to verify whether implementation has occurred.

    Recommendation: The Administrator of General Services should fully establish and document a process for coordination between cybersecurity risk management and enterprise risk management functions. (Recommendation 45)

    Agency Affected: General Services Administration

  46. Status: Open

    Comments: NASA concurred with this recommendation. As of January 2020, the agency stated that it is working to address gaps in its cybersecurity policy. Once NASA has provided evidence of these actions, we plan to verify whether implementation has occurred.

    Recommendation: The Administrator of the National Aeronautics and Space Administration (NASA) should update the agency's policies to require (1) an organization-wide risk assessment and (2) the use of risk assessments to inform POA&M prioritization. (Recommendation 46)

    Agency Affected: National Aeronautics and Space Administration

  47. Status: Open

    Priority recommendation

    Comments: NASA concurred with this recommendation. As of January 2020, NASA stated that the agency is in the process of documenting its process for conducting an organization-wide cybersecurity risk assessment. NASA's planned completion date for this effort is September 30, 2020. Once NASA has provided evidence of these actions, we plan to verify whether implementation has occurred.

    Recommendation: The Administrator of NASA should establish a process for conducting an organization-wide cybersecurity risk assessment. (Recommendation 47)

    Agency Affected: National Aeronautics and Space Administration

  48. Status: Closed - Implemented

    Comments: NSF concurred with this recommendation and has taken steps to implement it. In December 2019, NSF provided an updated IT Security and Privacy Risk Management Strategy and an updated Information Security and Privacy Continuous Monitoring Program policy. After reviewing these documents, we determined that NSF's updated strategy includes the key elements identified in our report, including a statement of risk tolerance and how the agency intends to assess and monitor risk. Accordingly, we consider this recommendation to be closed and implemented.

    Recommendation: The Director of the National Science Foundation should fully develop a cybersecurity risk management strategy that includes the key elements identified in this report. (Recommendation 48)

    Agency Affected: National Science Foundation

  49. Status: Open

    Priority recommendation

    Comments: NRC concurred with this recommendation. As of January 2020, the commission stated that it is taking steps to evaluate and update it strategy, with a target completion date by the end of fiscal year 2020 . Once the commission has provided evidence of these actions, we plan to verify whether implementation has occurred.

    Recommendation: The Chairman of the Nuclear Regulatory Commission (NRC) should develop a cybersecurity risk management strategy that includes the key elements identified in this report. (Recommendation 49)

    Agency Affected: Nuclear Regulatory Commission

  50. Status: Open

    Comments: NRC concurred with this recommendation. As of January 2020, we had not received information pertaining to this recommendation. Once the commission has provided information, we plan to verify whether implementation has occurred.

    Recommendation: The Chairman of NRC should update the agency's policies to require (1) an organization-wide cybersecurity risk assessment and (2) the use of risk assessments to inform POA&M prioritization. (Recommendation 50)

    Agency Affected: Nuclear Regulatory Commission

  51. Status: Closed - Implemented

    Comments: NRC concurred with this recommendation and has taken steps to implement it. Specifically, NRC officials provided documentation showing that the agency had developed a process for an organization-wide cybersecurity risk assessment. The process includes an aggregation of security-related indicators from across the organization and provides an assessment or scoring for each NRC office or region. The assessment is available through an agency dashboard, which displays progress against an agency-developed metric, as well as the quantified risk associated with each office and region. Accordingly, we consider this recommendation closed and implemented.

    Recommendation: The Chairman of NRC should establish a process for conducting an organization-wide cybersecurity risk assessment. (Recommendation 51)

    Agency Affected: Nuclear Regulatory Commission

  52. Status: Open

    Comments: NRC concurred with this recommendation. As of January 2020, we had not received information pertaining to this recommendation. Once the commission has provided evidence of these actions, we plan to verify whether implementation has occurred.

    Recommendation: The Chairman of NRC should establish and document a process for coordination between cybersecurity risk management and enterprise risk management functions. (Recommendation 52)

    Agency Affected: Nuclear Regulatory Commission

  53. Status: Open

    Comments: OPM concurred with this recommendation. As of January 2020, OPM stated that it planned to update its policies to address the missing elements. Once OPM has provided evidence of these actions, we plan to verify whether implementation has occurred.

    Recommendation: The Director of the Office of Personnel Management (OPM) should update the agency's policies to require (1) an organization-wide cybersecurity risk assessment and (2) the use of risk assessments to inform control tailoring. (Recommendation 53)

    Agency Affected: Office of Personnel Management

  54. Status: Open

    Priority recommendation

    Comments: OPM concurred with this recommendation. As of January 2020, the office stated that it planned to formalize its process for an organization-wide cybersecurity assessment. Once OPM has provided evidence of these actions, we plan to verify whether implementation has occurred.

    Recommendation: The Director of OPM should establish a process for conducting an organization-wide cybersecurity risk assessment. (Recommendation 54)

    Agency Affected: Office of Personnel Management

  55. Status: Closed - Implemented

    Comments: SBA concurred with this recommendation and has taken steps to implement it. In March 2020, SBA provided its updated risk management framework implementation procedures. These procedures address the missing elements, such as a statement of risk tolerance and acceptable risk response strategies. Accordingly, we consider this recommendation closed and implemented.

    Recommendation: The Administrator of the Small Business Administration (SBA) should fully develop a cybersecurity risk management strategy that includes the key elements identified in this report. (Recommendation 55)

    Agency Affected: Small Business Administration

  56. Status: Closed - Implemented

    Comments: In March 2020, in response to our recommendation, SBA updated its Risk Management Framework implementation procedures to require an organization-wide cybersecurity risk assessment and the use of risk assessments to inform POA&M prioritization. Accordingly, SBA has taken the foundational steps needed to effectively identify and prioritize activities to mitigate cybersecurity risks that could result in the loss of sensitive data or compromise of agency systems.

    Recommendation: The Administrator of SBA should update the agency's policies to require (1) an organization-wide cybersecurity risk assessment and (2) the use of risk assessments to inform POA&M prioritization. (Recommendation 56)

    Agency Affected: Small Business Administration

  57. Status: Open

    Priority recommendation

    Comments: SBA concurred with this recommendation. As of January 2020, SBA stated that it intends to finalize its process for an agency-wide cybersecurity risk assessment by March 31, 2020. Once SBA has provided evidence of these actions, we plan to verify whether implementation has occurred.

    Recommendation: The Administrator of SBA should establish a process for conducting an organization-wide cybersecurity risk assessment. (Recommendation 57)

    Agency Affected: Small Business Administration

  58. Status: Open

    Priority recommendation

    Comments: SSA concurred with this recommendation. As of January 2020, SSA stated that it has initiated a formal process for coordination between its cybersecurity risk management and enterprise risk management teams and that this process should be fully established by the third quarter of FY 2020. Once SSA has provided evidence of these actions, we plan to verify whether implementation has occurred.

    Recommendation: The Commissioner of the Social Security Administration should fully establish and document a process for coordination between cybersecurity risk management and enterprise risk management functions. (Recommendation 58)

    Agency Affected: Social Security Administration

 

Explore the full database of GAO's Open Recommendations »

May 27, 2020

May 13, 2020

Apr 24, 2020

Apr 13, 2020

Feb 11, 2020

Dec 12, 2019

Sep 25, 2019

Jul 26, 2019

Jul 18, 2019

Jun 14, 2019

Looking for more? Browse all our products here