Fast Facts

To protect against cyber threats, federal agencies should incorporate key practices in their cybersecurity risk management programs.

These key practices include:

Designating a cybersecurity risk executive

Developing a risk management strategy and policies

Assessing cyber risks

Coordinating between cybersecurity and enterprise-wide risk management functions

All but one of the 23 agencies we reviewed designated a risk executive. However, none of these agencies fully incorporated the other key practices into their programs.

We made 58 recommendations to federal agencies to help improve their cybersecurity risk management programs.

code

code

Skip to Highlights
Highlights

What GAO Found

Key practices for establishing an agency-wide cybersecurity risk management program include designating a cybersecurity risk executive, developing a risk management strategy and policies to facilitate risk-based decisions, assessing cyber risks to the agency, and establishing coordination with the agency's enterprise risk management (ERM) program. Although the 23 agencies GAO reviewed almost always designated a risk executive, they often did not fully incorporate other key practices in their programs:

Twenty-two agencies established the role of cybersecurity risk executive, to provide agency-wide management and oversight of risk management.

Sixteen agencies have not fully established a cybersecurity risk management strategy to delineate the boundaries for risk-based decisions.

Seventeen agencies have not fully established agency- and system-level policies for assessing, responding to, and monitoring risk.

Eleven agencies have not fully established a process for assessing agency-wide cybersecurity risks based on an aggregation of system-level risks.

Thirteen agencies have not fully established a process for coordinating between their cybersecurity and ERM programs for managing all major risks.

Until they address these practices, agencies will face an increased risk of cyber-based incidents that threaten national security and personal privacy.

Agencies identified multiple challenges in establishing and implementing cybersecurity risk management programs (see table).

Agency Challenges in Establishing Cybersecurity Risk Management Programs

Challenge

Agencies reporting challenge

Hiring and retaining key cybersecurity management personnel

23

Managing competing priorities between operations and cybersecurity

19

Establishing and implementing consistent policies and procedures

18

Establishing and implementing standardized technology capabilities

18

Receiving quality risk data

18

Using federal cybersecurity risk management guidance

16

Developing an agency-wide risk management strategy

15

Incorporating cyber risks into enterprise risk management

14

Source: GAO analysis of agency data. | GAO-19-384

In response to a May 2017 executive order, the Office of Management and Budget (OMB) and Department of Homeland Security (DHS) identified areas for improvement in agencies' capabilities for managing cyber risks. Further, they have initiatives under way that should help address four of the challenges identified by agencies—hiring and retention, standardizing capabilities, receiving quality risk data, and using guidance. However, OMB and DHS did not establish initiatives to address the other challenges on managing conflicting priorities, establishing and implementing consistent policies, developing risk management strategies, and incorporating cyber risks into ERM. Without additional guidance or assistance to mitigate these challenges, agencies will likely continue to be hindered in managing cybersecurity risks.

Why GAO Did This Study

Federal agencies face a growing number of cyber threats to their systems and data. To protect against these threats, federal law and policies emphasize that agencies take a risk-based approach to cybersecurity by effectively identifying, prioritizing, and managing their cyber risks. In addition, OMB and DHS play important roles in overseeing and supporting agencies' cybersecurity risk management efforts.

GAO was asked to review federal agencies' cybersecurity risk management programs. GAO examined (1) the extent to which agencies established key elements of a cybersecurity risk management program; (2) what challenges, if any, agencies identified in developing and implementing cybersecurity risk management programs; and (3) steps OMB and DHS have taken to meet their risk management responsibilities and address any challenges agencies face. To do this, GAO reviewed policies and procedures from 23 civilian Chief Financial Officers Act of 1990 agencies and compared them to key federal cybersecurity risk management practices, obtained agencies' views on challenges they faced, identified and analyzed actions taken by OMB and DHS to determine whether they address agency challenges, and interviewed responsible agency officials.

Skip to Recommendations

Recommendations

GAO is making 57 recommendations to the 23 agencies and one to OMB, in coordination with DHS, to assist agencies in addressing challenges. Seventeen agencies agreed with the recommendations, one partially agreed, and four, including OMB, did not state whether they agreed or disagreed. GAO continues to believe all its recommendations are warranted.

Recommendations for Executive Action

Agency Affected Recommendation Status
Office of Management and Budget The Director of OMB should, in coordination with the Secretary of Homeland Security, establish guidance or other means to facilitate the sharing of successful approaches for agencies to address challenges in the areas of (1) managing competing priorities between cybersecurity and operations, such as when operational needs appear to conflict with cybersecurity requirements; (2) implementing consistent cybersecurity risk management policies and procedures across an agency; (3) incorporating cyber risks into enterprise risk management, and (4) establishing agencies' cybersecurity risk management strategies. (Recommendation 1)
Open
The Office of Management and Budget did not say whether or not it concurred with this recommendation. As of March 2021, we had not received information pertaining to this recommendation. Once OMB has provided information, we plan to verify whether implementation has occurred.
Department of Agriculture
Priority Rec.
Priority recommendations are those that GAO believes warrant priority attention from heads of key departments or agencies.
The Secretary of Agriculture should develop a cybersecurity risk management strategy that includes the key elements identified in this report. (Recommendation 2)
Closed - Implemented
In June 2021, in response to our recommendation, the department issued its Cybersecurity Risk Management Strategy. This strategy addressed the key elements, including a statement of the department's risk tolerance and how it intends to assess, respond to, and monitor risk. By developing this strategy, USDA should have a better organization-wide understanding of acceptable risk levels and appropriate risk response strategies to protect its systems and data. Accordingly, we consider this recommendation to be implemented.
Department of Agriculture The Secretary of Agriculture should update the department's policies to require (1) the use of risk assessments to inform security control tailoring and (2) the use of risk assessments to inform plan of actions and milestones (POA&M) prioritization. (Recommendation 3)
Open
The Department of Agriculture did not state whether or not it concurred with this recommendation. The department stated that it is developing a Risk Management Framework implementation plan which will include updates to USDA's process guide to ensure informed security control tailoring and updates to USDA's Plan of Actions and Milestones (POA&M) Standard Operation Procedure to inform prioritized POA&M mitigation strategies, through a consistent and repeatable security risk assessment process. As of March 2021, the department had not completed these updates or provided an estimated completion date. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.
Department of Agriculture
Priority Rec.
Priority recommendations are those that GAO believes warrant priority attention from heads of key departments or agencies.
The Secretary of Agriculture should establish and document a process for coordination between cybersecurity risk management and enterprise risk management functions. (Recommendation 4)
Open
The Department of Agriculture did not state whether or not it concurred with this recommendation. The department stated that it plans to establish a governance framework for USDA Enterprise Risk Management (ERM), which will provide a platform to increase coordination between stakeholders within the cybersecurity and enterprise risk management functions. As of March 2021, the department had not provided documentation of its process for cybersecurity and ERM coordination. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.
Department of Commerce The Secretary of Commerce should update the department's policies to require (1) an organization-wide cybersecurity risk assessment and (2) the use of risk assessments to inform POA&M prioritization. (Recommendation 5)
Open
The Department of Commerce did not state whether or not it concurred with this recommendation. As of March 2021, we had not received information pertaining to planned actions for this recommendation. Once the department states that it has taken action, we plan to verify whether implementation has occurred.
Department of Commerce
Priority Rec.
Priority recommendations are those that GAO believes warrant priority attention from heads of key departments or agencies.
The Secretary of Commerce should establish a process for conducting an organization-wide cybersecurity risk assessment. (Recommendation 6)
Closed - Implemented
In April 2021, in response to our recommendation, the department provided evidence that it had established a process for quarterly and annual organization-wide cybersecurity risk assessments, which provide an opportunity for the DOC Office of the Chief Information Officer (OCIO) to improve cybersecurity risk management strategies based on data gathered from Bureaus and organizational units across DOC. This process should help the department identify trends or prioritize investments in cybersecurity risk mitigation activities in order to target widespread or systemic risks to the systems and organization. Accordingly, we consider this recommendation to be implemented.
Department of Education
Priority Rec.
Priority recommendations are those that GAO believes warrant priority attention from heads of key departments or agencies.
The Secretary of Education should fully develop a cybersecurity risk management strategy that includes the key elements identified in this report. (Recommendation 7)
Closed - Implemented
In April 2020, in response to our recommendation, Education updated its cyber risk management framework to address the missing elements identified in our report. The framework now includes a statement of risk tolerance and acceptable risk response strategies. As a result, Education now has a better organization-wide understanding of acceptable risk levels and appropriate risk response strategies to protect their systems and data.
Department of Energy
Priority Rec.
Priority recommendations are those that GAO believes warrant priority attention from heads of key departments or agencies.
The Secretary of Energy should develop a cybersecurity risk management strategy that includes the key elements identified in this report. (Recommendation 8)
Open
The Department of Energy concurred with this recommendation. In February 2021, the department stated that it is developing a department-wide risk management plan, to include a risk management strategy. The department noted the development is still underway and did not provide an estimated completion date. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.
Department of Energy The Secretary of Energy should update the department's policies to require (1) an organization-wide cybersecurity risk assessment and (2) the identification of common controls. (Recommendation 9)
Closed - Implemented
The Department of Energy concurred with this recommendation and has taken steps to implement it. In February 2020, the department sent us its updated policy governing its cybersecurity program. This policy addresses the missing elements by requiring an organization-wide cybersecurity risk assessment and addressing the identification of common controls. Accordingly, we consider this recommendation to be implemented.
Department of Health and Human Services
Priority Rec.
Priority recommendations are those that GAO believes warrant priority attention from heads of key departments or agencies.
The Secretary of Health and Human Services should develop a cybersecurity risk management strategy that includes the key elements identified in this report. (Recommendation 10)
Open
The Department of Health and Human Services concurred with this recommendation. In March 2021, the department stated that its cybersecurity risk management strategy is undergoing internal review. The department did not provide a date that the review would be completed. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.
Department of Health and Human Services The Secretary of Health and Human Services should update the department's policies to require (1) an organization-wide cybersecurity risk assessment and (2) the use of risk assessments to inform security control tailoring. (Recommendation 11)
Open
The Department of Health and Human Services partially concurred with this recommendation. In March 2021, the department stated that its policies are undergoing revision and internal review to incorporate the missing elements, and that it expected these to be finalized by September 2021. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.
Department of Health and Human Services
Priority Rec.
Priority recommendations are those that GAO believes warrant priority attention from heads of key departments or agencies.
The Secretary of Health and Human Services should establish a process for conducting an organization-wide cybersecurity risk assessment. (Recommendation 12)
Open
The Department of Health and Human Services concurred with this recommendation. In March 2021, the department stated that a process for an organization-wide cybersecurity risk assessment is still under development and did not provide an estimated date of completion. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.
Department of Health and Human Services The Secretary of Health and Human Services should establish and document a process for coordination between cybersecurity risk management and enterprise risk management functions. (Recommendation 13)
Closed - Implemented
The Department of Health and Human Services concurred with this recommendation and has taken steps to implement it. In February 2020, HHS provided evidence to show that it has established a process for coordination between its cybersecurity risk management and enterprise risk management (ERM) functions. Specifically, the department established an Enterprise Risk Management Council to oversee and coordinate the implementation of ERM, in which the department's Chief Information Security Officer (CISO) was added as a voting member in order to provide perspectives on information security and privacy. Additionally, both the CISO and Chief Information Officer (CIO) attend meetings of the ERM council. Accordingly, we consider this recommendation implemented.
Department of Homeland Security
Priority Rec.
Priority recommendations are those that GAO believes warrant priority attention from heads of key departments or agencies.
The Secretary of Homeland Security should develop a cybersecurity risk management strategy that includes the key elements identified in this report. (Recommendation 14)
Closed - Implemented
The Department of Homeland Security concurred with this recommendation. In March 2021, DHS provided its OCIO Management Cybersecurity Risk Management Strategy, and the strategy addresses the key elements identified in our report. This includes a statement of risk tolerance and how the agency intends to assess, respond to, and monitor risk. Accordingly, we consider this recommendation implemented.
Department of Homeland Security
Priority Rec.
Priority recommendations are those that GAO believes warrant priority attention from heads of key departments or agencies.
The Secretary of Homeland Security should establish and document a process for coordination between cybersecurity risk management and enterprise risk management functions. (Recommendation 15)
Open
The Department of Homeland Security concurred with this recommendation. The department stated that, once developed, its Cybersecurity Risk Management Strategy will incorporate clarifications of the cybersecurity risk executive's role and will be coordinated with the DHS Office of the Chief Financial Officer, other offices within the DHS Management Directorate, and Department Components, as appropriate. As of March 2021, the department had not provided documentation specifying the details of this coordination process or an estimated completion date. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.
Department of Housing and Urban Development
Priority Rec.
Priority recommendations are those that GAO believes warrant priority attention from heads of key departments or agencies.
The Secretary of Housing and Urban Developing should develop a cybersecurity risk management strategy that includes the key elements identified in this report. (Recommendation 16)
Closed - Implemented
The Department of Housing and Urban Development concurred with this recommendation and has taken steps to implement it. In September 2020, the department issued its Cybersecurity Risk Management Strategy and in May 2021 issued its Office of the Chief Information Officer (OCIO) Enterprise Risk Management Standard Operating Procedure, which provides addition details on how the OCIO will identify, assess, respond, and monitor enterprise risks in order to support HUD's business objectives. Taken together, these documents address the key elements identified in our report. By establishing a strategy that addresses key elements, HUD should have a better organization-wide understanding of acceptable risk levels and appropriate risk response strategies to protect its systems and data.
Department of Housing and Urban Development The Secretary of Housing and Urban Developing should update the department's policies to require the use of risk assessments to inform POA&M prioritization. (Recommendation 17)
Closed - Implemented
The Department of Housing and Urban Development concurred with this recommendation and has taken steps to implement it. In March 2020, HUD updated its POA&M procedures to include a requirement that considerations of risk inform the prioritization of POA&Ms. Accordingly, we consider this recommendation to be implemented.
Department of the Interior
Priority Rec.
Priority recommendations are those that GAO believes warrant priority attention from heads of key departments or agencies.
The Secretary of the Interior should develop a cybersecurity risk management strategy that includes the key elements identified in this report. (Recommendation 18)
Closed - Implemented
The Department of the Interior concurred with this recommendation and has taken steps to implement it. In June 2020, the department issued its Interior Enterprise Cybersecurity Risk Management Plan, which forms the basis for and outlines the structure of the department's Enterprise Cybersecurity Risk Management Program. This plan includes the elements identified in our report, including a statement of risk tolerance and how the department intends to assess, respond to, and monitor risk. Accordingly, we consider this recommendation to be implemented.
Department of the Interior The Secretary of the Interior should update the department's policies to require an organization-wide cybersecurity risk assessment. (Recommendation 19)
Closed - Implemented
The Department of the Interior concurred with this recommendation and has taken steps to implement it. In June 2020, the department issued its Enterprise Cybersecurity Risk Management Plan, which forms the basis for and outlines the structure of the Department of the Interior's Enterprise Cybersecurity Risk Management Program. This plan includes a provision for a department-wide assessment of cybersecurity risks. Specifically, the plan states that the Cyber Risk Office is responsible for aggregating risks from all levels, ensuring visibility at various levels of senior management. Accordingly, we consider this recommendation to be implemented.
Department of the Interior
Priority Rec.
Priority recommendations are those that GAO believes warrant priority attention from heads of key departments or agencies.
The Secretary of the Interior should establish and document a process for coordination between cybersecurity risk management and enterprise risk management functions. (Recommendation 20)
Closed - Implemented
The Department of the Interior concurred with this recommendation. In April 2021, in response to our recommendation, the department provided evidence that it had established a process for coordination between its cybersecurity and enterprise risk management (ERM) functions. Specifically, the department established a group including the departmental chief information officer (CIO) and bureau-level CIOs that is responsible for, among other things, raising issues of concern to appropriate senior officials. This includes raising significant IT risks to the department's Chief Risk Officer (CRO), who serves as the principal senior staff member in carrying out ERM responsibilities, such as maintaining a comprehensive portfolio of enterprise risks and providing department leadership with information regarding the status of ERM efforts and management of individual risks. This coordination process should help Interior better address significant cybersecurity risks in the context of other risks and their potential impacts on the mission of the agency. Accordingly, we consider this recommendation to be implemented.
Department of Justice
Priority Rec.
Priority recommendations are those that GAO believes warrant priority attention from heads of key departments or agencies.
The Attorney General should develop a cybersecurity risk management strategy that includes the key elements identified in this report. (Recommendation 21)
Open
In its comments on our draft report, the Department of Justice did not state whether it concurred with this recommendation. As of March 2021, the department reported that it had an integrated strategy for identifying, prioritizing, assessing, responding to, monitoring, and reporting on cybersecurity risks, but had not yet provided sufficient evidence to demonstrate that its strategy addresses the key elements identified in our report. Once the department states that it has taken action, we plan to verify whether implementation has occurred.
Department of Justice
Priority Rec.
Priority recommendations are those that GAO believes warrant priority attention from heads of key departments or agencies.
The Attorney General should fully establish and document a process for coordination between cybersecurity risk management and enterprise risk management functions. (Recommendation 22)
Open
In its comments on our draft report, the Department of Justice did not state whether or not it concurred with this recommendation. As of March 2021, the department had stated that it is developing an ongoing mechanism to institutionalize coordination between its cybersecurity and ERM functions, but it had not provided sufficient documentation of this process. Once the department states that it has taken action, we plan to verify whether implementation has occurred.
Department of Labor The Secretary of Labor should update the department's policies to require (1) the use of risk assessments to inform control tailoring and (2) the use of risk assessments to inform POA&M prioritization. (Recommendation 23)
Open
The Department of Labor concurred with this recommendation. As of March 2021, we had not received information pertaining to this recommendation. Once the department states that it has taken action, we plan to verify whether implementation has occurred.
Department of State The Secretary of State should update the department's policies to require (1) an organization-wide risk assessment, (2) an organization-wide strategy for monitoring control effectiveness, (3) system-level risk assessments, (4) the use of risk assessments to inform security control tailoring, and (5) the use of risk assessments to inform POA&M prioritization. (Recommendation 24)
Open
The Department of State concurred with this recommendation. As of February 2021, the department stated that it is actively working to update the applicable policies and procedures and they are undergoing internal review. The department did not provide an estimated completion date for the review. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.
Department of State
Priority Rec.
Priority recommendations are those that GAO believes warrant priority attention from heads of key departments or agencies.
The Secretary of State should establish and document a process for coordination between cybersecurity risk management and enterprise risk management functions. (Recommendation 25)
Open
The Department of State concurred with this recommendation. As of February 2021, the department stated that it is actively working to update the applicable policies and procedures, and they are undergoing internal review. The department did not provide an estimated completion date for the review. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.
Department of Transportation
Priority Rec.
Priority recommendations are those that GAO believes warrant priority attention from heads of key departments or agencies.
The Secretary of Transportation should fully develop a cybersecurity risk management strategy that includes the key elements identified in this report. (Recommendation 26)
Open
The Department of Transportation concurred with this recommendation. As of March 2021, the department stated that it is working toward implementation of this recommendation and plans to provide an update to GAO by January 2022. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.
Department of Transportation The Secretary of Transportation should update the department's policies to require an organization-wide risk assessment. (Recommendation 27)
Open
The Department of Transportation concurred with this recommendation. The department stated that it would update it policies and procedures to require an organization-wide cybersecurity risk assessment, but as of March 2021, it had not provided these updated policies and procedures or an estimated completion date. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.
Department of Transportation
Priority Rec.
Priority recommendations are those that GAO believes warrant priority attention from heads of key departments or agencies.
The Secretary of Transportation should fully establish and document a process for coordination between cybersecurity risk management and enterprise risk management functions. (Recommendation 28)
Closed - Implemented
In April 2020, in response to our recommendation, the department updates its Information Technology Risk Management standard operating procedure, which describes, among other things, how the department's Office of the Chief Information Officer is to coordinate with the office responsible for enterprise risk management (ERM) functions. This includes the incorporation of cybersecurity and privacy risks into the department's ERM process. Accordingly, senior leadership at Transportation responsible for ERM is in a better position to be fully aware of significant cybersecurity risks and, thus, positioned to address them in the context of other risks and their potential impacts on the mission of the agency.
Department of the Treasury
Priority Rec.
Priority recommendations are those that GAO believes warrant priority attention from heads of key departments or agencies.
The Secretary of the Treasury should develop a cybersecurity risk management strategy that includes the key elements identified in this report. (Recommendation 29)
Closed - Implemented
In March 2021, in response to our recommendation, Treasury finalized its Enterprise Cyber Security Risk Management Strategy. This strategy addresses the key elements identified in our report, including a statement of the department's risk tolerance and how it intends to assess, respond to, and monitor cyber risks. By developing this strategy, Treasury should have a better organization-wide understanding of acceptable risk levels and appropriate risk response strategies to protect its systems and data. Accordingly, we consider this recommendation to be implemented.
Department of the Treasury
Priority Rec.
Priority recommendations are those that GAO believes warrant priority attention from heads of key departments or agencies.
The Secretary of the Treasury should establish a process for conducting an organization-wide cybersecurity risk assessment. (Recommendation 30)
Closed - Implemented
In March 2021, in response to our recommendation, Treasury provided evidence to show that it had developed a process for conducting an organization-wide cybersecurity risk assessment. This includes a consolidated enterprise risk register that includes data from multiple sources to identify cybersecurity risks across the IT enterprise and an analytical system to aggregate data from multiple different sources and score, rank, and prioritize risks to show the most pressing cyber risks across the organization. By establishing such a process, Treasury has enhanced its ability to identify trends or prioritize investments in cybersecurity risk mitigation activities in order to target widespread or systemic risks to the systems and organization. Accordingly, we consider this recommendation to be implemented.
Department of the Treasury The Secretary of the Treasury should establish and document a process for coordination between cybersecurity risk management and enterprise risk management functions. (Recommendation 31)
Open
The Department of the Treasury did not state whether or not it concurred with this recommendation. As of March 2021, we had not received information pertaining to this recommendation. Once the department has provided information, we plan to verify whether implementation has occurred.
Department of Veterans Affairs
Priority Rec.
Priority recommendations are those that GAO believes warrant priority attention from heads of key departments or agencies.
The Secretary of Veterans Affairs should develop a cybersecurity risk management strategy that includes the key elements identified in this report. (Recommendation 32)
Open
The Department of Veterans Affairs concurred with this recommendation. The department stated that it plans to develop a comprehensive risk management strategy in accordance with its updated cybersecurity program directive and plans to finalize the strategy by June 30, 2020. However, as of March 2021, we had not received evidence of these actions or a revised estimated completion date. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.
Department of Veterans Affairs The Secretary of Veterans Affairs should update the department's policies to require an organization-wide cybersecurity risk assessment. (Recommendation 33)
Closed - Implemented
The Department of Veterans Affairs concurred with this recommendation. In response to our recommendation, VA provided its cybersecurity directive, updated in February 2021, which calls for VA to develop an understanding of enterprise-wide cybersecurity and privacy risks through risk assessments and the sharing of risk information across the department. By ensuring that its policies include key cybersecurity risk management activities, VA enhances its ability to effectively identify and prioritize activities to mitigate cybersecurity risks that could result in the loss of sensitive data or compromise of agency systems. Accordingly, we consider this recommendation to be implemented.
Department of Veterans Affairs
Priority Rec.
Priority recommendations are those that GAO believes warrant priority attention from heads of key departments or agencies.
The Secretary of Veterans Affairs should establish a process for conducting an organization-wide cybersecurity risk assessment. (Recommendation 34)
Open
The Department of Veterans Affairs concurred with this recommendation. VA stated that it plans to fully document its process for an organization-wide cybersecurity risk assessment by June 30, 2020. However, as of March 2021, we had not received evidence of these actions or a revised estimated completion date. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.
Department of Veterans Affairs The Secretary of Veterans Affairs should establish and document a process for coordination between cybersecurity risk management and enterprise risk management functions. (Recommendation 35)
Open
The Department of Veterans Affairs concurred with this recommendation. VA described efforts under way to institutionalize coordination between cybersecurity and enterprise risk management functions and stated that this coordination will be documented in detail by June 30, 2020. However, as of March 2021, we had not received evidence of these actions or a revised estimated completion date. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.
United States Agency for International Development The Administrator of the United States Agency for International Development (USAID) should update the agency's policies to require (1) an organization-wide cybersecurity risk assessment and (2) the use of risk assessments to inform control tailoring. (Recommendation 36)
Closed - Implemented
USAID concurred with this recommendation and has taken steps to implement it. In December 2019, USAID provided its updated Risk Management Framework Handbook which (1) states that the agency's Chief Information Officer, Senior Agency Official for Privacy, and Chief Information Security Officer are to aggregate system assessments to develop enterprise/organizational risk assessment results to inform the risk management strategies and (2) outlines a process for control tailoring informed by risk considerations. Accordingly, we consider this recommendation to be closed and implemented.
United States Agency for International Development The Administrator of USAID should establish a process for conducting an organization-wide cybersecurity risk assessment. (Recommendation 37)
Closed - Implemented
USAID concurred with this recommendation and has taken steps to implement it. In December 2019, USAID provided evidence that it had established a process for conducting an organization-wide cybersecurity risk assessment. Specifically, the agency developed a dashboard that aggregates cyber indicators for systems from organizations and sub-organizations across the agency. The status of these items are scored according to a standard formulary that allows the agency to provide a score at the system, bureau, and organization levels. These results are briefed to the CIO and allow the agency's CIO organization to prioritize resources as necessary to any problematic areas. Accordingly, we consider this recommendation to be closed and implemented.
Environmental Protection Agency
Priority Rec.
Priority recommendations are those that GAO believes warrant priority attention from heads of key departments or agencies.
The Administrator of the Environmental Protection Agency (EPA) should fully develop a cybersecurity risk management strategy that includes the key elements identified in this report. (Recommendation 38)
Closed - Implemented
In response to our recommendation, in December 2020, EPA provided its updated cybersecurity risk management strategy, which addresses key elements called for in federal guidance. This includes a discussion of the agency's risk tolerance, and how it intends to assess, respond to, and monitor cybersecurity risks on an ongoing basis. By updating its strategy to include all key elements, EPA should enhance its organization-wide understanding of acceptable risk levels and appropriate risk response strategies to protect the agency's systems and data. Accordingly, we consider this recommendation to be implemented.
Environmental Protection Agency The Administrator of EPA should update the agency's policies to require an organization-wide cybersecurity risk assessment. (Recommendation 39)
Closed - Implemented
EPA has taken steps to implement this recommendation. In May 2020, in response to our recommendation, EPA issued its Information Security Risk Management Strategic Plan. Among other things, the plan discusses how the agency will assess risk at various organizational levels, including providing for an organization-wide cybersecurity risk assessment. The plan requires the Senior Agency Information Security Official to leverage various tools and information to determine system level and, in aggregate, mission- and agency-level cybersecurity risks. By ensuring that its policies include key cybersecurity risk management activities, EPA enhances its ability to effectively identify and prioritize activities to mitigate cybersecurity risks that could result in the loss of sensitive data or compromise of agency systems. Accordingly, we consider this recommendation to be implemented.
Environmental Protection Agency
Priority Rec.
Priority recommendations are those that GAO believes warrant priority attention from heads of key departments or agencies.
The Administrator of EPA should establish a process for conducting an organization-wide cybersecurity risk assessment. (Recommendation 40)
Open
The Environmental Protection Agency did not state whether or not it concurred with this recommendation. While EPA's updated cybersecurity risk management strategy calls for the agency to develop an organization-wide perspective on cybersecurity risks, as of April 2021, the agency had not provided evidence that it had developed a process for aggregating information from system-level risk assessments, continuous monitoring, and other sources to allow the agency to assess the risk from the operation and use of its information systems from an agency-wide perspective. We are continuing to follow up with EPA to verify whether implementation has occurred.
Environmental Protection Agency The Administrator of EPA should fully establish and document a process for coordination between cybersecurity risk management and enterprise risk management functions. (Recommendation 41)
Open
The Environmental Protection Agency did not state whether or not it concurred with this recommendation. As of March 2021, we had not received information pertaining to this recommendation. Once the agency has provided evidence of these actions, we plan to verify whether implementation has occurred.
General Services Administration
Priority Rec.
Priority recommendations are those that GAO believes warrant priority attention from heads of key departments or agencies.
The Administrator of General Services should designate and document a risk executive function with responsibilities for organization-wide cybersecurity risk management. (Recommendation 42)
Closed - Implemented
The General Services Administration concurred with this recommendation and has taken steps to implement it. In June 2020, GSA updated its IT Risk Management Strategy, and the updated strategy designates and documents the agency's risk executive function. Specifically, it states that the risk executive function at GSA is handled by the Enterprise Management Board (EMB), chaired by the Deputy Administrator who is also the Senior Agency Official for Risk Management. Further, For cybersecurity risks, the Chief Information Security Officer (CISO), Authorizing Officials, and subject matter experts facilitate the consistent application of risk management across GSA. The CISO coordinates with the Chief Information Officer, a member of the EMB, to identify cybersecurity risks for consideration by the EMB. Accordingly, we consider this recommendation to be implemented.
General Services Administration The Administrator of General Services should update the agency's policies to require an organization-wide cybersecurity risk assessment. (Recommendation 43)
Closed - Implemented
The General Services Administration concurred with this recommendation and has taken steps to implement it. In July 2020, GSA provided an updated IT security policy, which requires an organization-wide cybersecurity risk assessment. Specifically, policy states that the risk executive function is responsible for, among other things, determining organizational risk based on the aggregated risk from the operation and use of information systems and the respective environments of operation. Accordingly, we consider this recommendation to be implemented.
General Services Administration
Priority Rec.
Priority recommendations are those that GAO believes warrant priority attention from heads of key departments or agencies.
The Administrator of General Services should establish a process for conducting an organization-wide cybersecurity risk assessment. (Recommendation 44)
Closed - Implemented
The General Services Administration concurred with this recommendation and has taken steps to implement it. In October 2020, GSA provided evidence of a process for aggregating system-level risks and communicating them to the enterprise level. These risks are communicated via regular reports to officials throughout the Agency, including the GSA Administrator. Further, the agency's Enterprise Executive Risk Subcommittee identifies and monitors agency-wide risks facing GSA, coordinating with risk owners to engage with the GSA Enterprise Management Board in risk mitigation and elimination. Accordingly, we consider this recommendation to be implemented.
General Services Administration The Administrator of General Services should fully establish and document a process for coordination between cybersecurity risk management and enterprise risk management functions. (Recommendation 45)
Closed - Implemented
The General Services Administration concurred with this recommendation and has taken steps to implement it. In June 2020, GSA updated its IT Risk Management Strategy, which includes a process for coordination between cybersecurity risk management and enterprise risk management functions. Specifically, it states that Enterprise Management Board (EMB), chaired by the Deputy Administrator who is also the Senior Agency Official for Risk Management, is responsible for managing and monitoring key organizational risks. Further, the agency's Chief Information Security Officer coordinates with the Chief Information Officer, a member of the EMB, to identify cybersecurity risks for consideration by the EMB. Accordingly, we consider this recommendation to be implemented.
National Aeronautics and Space Administration The Administrator of the National Aeronautics and Space Administration (NASA) should update the agency's policies to require (1) an organization-wide risk assessment and (2) the use of risk assessments to inform POA&M prioritization. (Recommendation 46)
Open
NASA concurred with this recommendation. The agency stated that it is working to address gaps in its cybersecurity policy, but as of March 2021 it had not provided evidence of an updated policy or an estimated completion date. Once NASA has provided evidence of these actions, we plan to verify whether implementation has occurred.
National Aeronautics and Space Administration
Priority Rec.
Priority recommendations are those that GAO believes warrant priority attention from heads of key departments or agencies.
The Administrator of NASA should establish a process for conducting an organization-wide cybersecurity risk assessment. (Recommendation 47)
Open
NASA agreed with this recommendation and, in April 2021, stated that it planned to implement this recommendation by September 30, 2021. Once NASA has provided evidence of these actions, we plan to verify whether implementation has occurred.
National Science Foundation The Director of the National Science Foundation should fully develop a cybersecurity risk management strategy that includes the key elements identified in this report. (Recommendation 48)
Closed - Implemented
NSF concurred with this recommendation and has taken steps to implement it. In December 2019, NSF provided an updated IT Security and Privacy Risk Management Strategy and an updated Information Security and Privacy Continuous Monitoring Program policy. After reviewing these documents, we determined that NSF's updated strategy includes the key elements identified in our report, including a statement of risk tolerance and how the agency intends to assess and monitor risk. Accordingly, we consider this recommendation to be closed and implemented.
Nuclear Regulatory Commission
Priority Rec.
Priority recommendations are those that GAO believes warrant priority attention from heads of key departments or agencies.
The Chairman of the Nuclear Regulatory Commission (NRC) should develop a cybersecurity risk management strategy that includes the key elements identified in this report. (Recommendation 49)
Closed - Implemented
NRC concurred with this recommendation and has taken steps to implement it. In September 2020, NRC issued its Risk Management Strategy, which addresses the key elements identified in our report. Specifically, the strategy includes a statement of the agency's risk tolerance and descriptions of how it intends to assess, respond to, and monitor cyber risks. Accordingly, we consider this recommendation to be implemented.
Nuclear Regulatory Commission The Chairman of NRC should update the agency's policies to require (1) an organization-wide cybersecurity risk assessment and (2) the use of risk assessments to inform POA&M prioritization. (Recommendation 50)
Closed - Implemented
NRC concurred with this recommendation. In January 2021, NRC provided evidence to show that its updated policies incorporate these two elements. Specifically, its updated policies require an organization-wide risk assessment and the prioritization of POA&Ms based on an assessment of risk. Accordingly, we consider this recommendation to be implemented.
Nuclear Regulatory Commission The Chairman of NRC should establish a process for conducting an organization-wide cybersecurity risk assessment. (Recommendation 51)
Closed - Implemented
NRC concurred with this recommendation and has taken steps to implement it. Specifically, in December 2019, NRC officials provided documentation showing that the agency had developed a process for an organization-wide cybersecurity risk assessment. The process includes an aggregation of security-related indicators from across the organization and provides an assessment or scoring for each NRC office or region. The assessment is available through an agency dashboard, which displays progress against an agency-developed metric, as well as the quantified risk associated with each office and region. Accordingly, we consider this recommendation closed and implemented.
Nuclear Regulatory Commission The Chairman of NRC should establish and document a process for coordination between cybersecurity risk management and enterprise risk management functions. (Recommendation 52)
Closed - Implemented
NRC concurred with this recommendation. In February 2021, NRC provided evidence that it established such a process. Specifically, the agency's Enterprise Risk Management Council (ERMC) is responsible for organization-wide efforts to manage risk and advises on the strategically aligned portfolio view of risks for the agency and serves as a strategic advisor on the integration of enterprise risk management practices into the daily business operations and decision-making. The ERMC is advised of all enterprise level risks, including cyber risk, and its membership includes the Chief Risk Officer and Chief Information Officer, among others. Accordingly, we consider this recommendation to be implemented.
Office of Personnel Management The Director of the Office of Personnel Management (OPM) should update the agency's policies to require (1) an organization-wide cybersecurity risk assessment and (2) the use of risk assessments to inform control tailoring. (Recommendation 53)
Open
OPM concurred with this recommendation and stated that it planned to update its policies to address the missing elements. As of March 2021, the agency had not provided evidence of its updated policies or an estimated completion date. Once OPM has provided evidence of these actions, we plan to verify whether implementation has occurred.
Office of Personnel Management
Priority Rec.
Priority recommendations are those that GAO believes warrant priority attention from heads of key departments or agencies.
The Director of OPM should establish a process for conducting an organization-wide cybersecurity risk assessment. (Recommendation 54)
Open
OPM concurred with this recommendation. In January 2021, the agency stated that its initial plans to implement the recommendation were delayed due to resource challenges and that it plans to revisit this effort in the second quarter of FY 2021. Once the agency has provided evidence of these actions, we plan to verify whether implementation has occurred.
Small Business Administration The Administrator of the Small Business Administration (SBA) should fully develop a cybersecurity risk management strategy that includes the key elements identified in this report. (Recommendation 55)
Closed - Implemented
SBA concurred with this recommendation and has taken steps to implement it. In March 2020, SBA provided its updated risk management framework implementation procedures. These procedures address the missing elements, such as a statement of risk tolerance and acceptable risk response strategies. Accordingly, we consider this recommendation closed and implemented.
Small Business Administration The Administrator of SBA should update the agency's policies to require (1) an organization-wide cybersecurity risk assessment and (2) the use of risk assessments to inform POA&M prioritization. (Recommendation 56)
Closed - Implemented
In March 2020, in response to our recommendation, SBA updated its Risk Management Framework implementation procedures to require an organization-wide cybersecurity risk assessment and the use of risk assessments to inform POA&M prioritization. Accordingly, SBA has taken the foundational steps needed to effectively identify and prioritize activities to mitigate cybersecurity risks that could result in the loss of sensitive data or compromise of agency systems.
Small Business Administration
Priority Rec.
Priority recommendations are those that GAO believes warrant priority attention from heads of key departments or agencies.
The Administrator of SBA should establish a process for conducting an organization-wide cybersecurity risk assessment. (Recommendation 57)
Closed - Implemented
SBA concurred with this recommendation and has taken steps to implement it. Specifically, in response to our recommendation the agency developed a process for an organization-wide cybersecurity risk assessment and in January 2021 provided evidence of this process. The process includes aggregating risks from various internal and external data sources, scoring them according a defined risk assessment methodology, and identifying key agency-wide risks which are reported to agency leadership along with recommended actions for remediation. Accordingly, we consider this recommendation to be implemented.
Social Security Administration
Priority Rec.
Priority recommendations are those that GAO believes warrant priority attention from heads of key departments or agencies.
The Commissioner of the Social Security Administration should fully establish and document a process for coordination between cybersecurity risk management and enterprise risk management functions. (Recommendation 58)
Closed - Implemented
SSA concurred with this recommendation. In March 2021, in response to our recommendation, SSA provided evidence that it had established a coordination process between its cybersecurity and enterprise risk management (ERM) functions. Specifically, the agency established an ERM council to provide governance for the agency's ERM function. The membership of this council includes among others, the agency's Chief Information Officer and Chief Information Security Officer, and the latter official serves as the agency's cybersecurity risk executive. This coordination should better position SSA to address significant cybersecurity risks in the context of other risks and their potential impacts on the mission of the agency. Accordingly, we consider this recommendation to be implemented.

Full Report

GAO Contacts