Skip to main content

Information Security: Privacy Program Improvements Could Enhance GAO Efforts to Protect Data and Systems

OIG-22-2 Published: Mar 31, 2022. Publicly Released: Mar 31, 2022.
Jump To:

Fast Facts

GAO relies extensively on information systems and technology to fulfill its mission and support needs.

We assessed GAO's efforts to protect its information systems and data against 5 key metrics established for Inspectors General to use when evaluating agency information security.

While GAO has taken steps to protect sensitive information and prevent data exfiltration, it could improve its privacy program by:

  • assessing impact to individuals and the organization during incident response
  • better defining privacy training for people who have greater access to personally identifiable information

We made 2 recommendations to address these issues.

Skip to Highlights




This report presents the OIG’s Fiscal Year (FY) 2021 assessment of the effectiveness of GAO’s information security program in relation to selected Federal Information Security Modernization Act of 2014 (FISMA) requirements.

What OIG Found

We assessed GAO’s information systems against selected FY 2021 Inspector General (IG) FISMA reporting metrics, and found certain aspects pertaining to management of data protection and privacy have opportunities for improvement. While GAO has taken steps to protect sensitive information and prevent data exfiltration, opportunities exist to improve its privacy program in the areas of incident response and training for people with specific roles.

  • GAO’s Incident Response plan does not contain all the recommended elements for addressing incidents involving Personally Identifiable Information (PII). Specifically, the current GAO incident response procedures do not contain documented procedures for assessing the potential damage to organizations and individuals resulting from the loss of PII.
  • All GAO employees and contractors receive privacy training annually, as part of a mandatory course on security and privacy awareness. However, we found that training for personnel with role-specific responsibility for PII has not been consistently implemented.

What OIG Recommends

We recommend that the Comptroller General direct the Chief Administrative Officer to direct the appropriate office(s) to (1) define and implement policies and procedures for incident response that align with NIST guidance for assessing privacy impact incidents and (2) define and implement policies and procedures for role-based privacy training which (a) identify who must regularly take the training, and (b) ensure annual compliance with such training. GAO agreed with the recommendations and outlined planned actions to address them.


Full Report

GAO Contacts