GAO’s recommendations database contains report recommendations that still need to be addressed. GAO’s priority recommendations are those that we believe warrant priority attention. We sent letters to the heads of key departments and agencies, urging them to continue focusing on these issues. Below you can search only priority recommendations, or search all recommendations.

Our recommendations help congressional and agency leaders prepare for appropriations and oversight activities, as well as help improve government operations. Moreover, when implemented, some of our priority recommendations can save large amounts of money, help Congress make decisions on major issues, and substantially improve or transform major government programs or agencies, among other benefits.

As of April 18, 2018, there are 5,184 open recommendations, of which 465 are priority recommendations. Recommendations remain open until they are designated as Closed-implemented or Closed-not implemented.

Browse or Search Open Recommendations

Search



Have a Question about a Recommendation?

  • For questions about a specific recommendation, contact the person or office listed with the recommendation.
  • For general information about recommendations, contact GAO's Audit Policy and Quality Assurance office at (202) 512-6100 or apqa@gao.gov.
« Back to Results List Sort by   

Results:

Subject Term: "Cyber security"

2 publications with a total of 6 priority recommendations
Director: Gregory C. Wilshusen
Phone: (202) 512-6244

5 open priority recommendations
Recommendation: To improve agency information security programs, the Administrator of the National Aeronautics and Space Administration should re-evaluate security control assessments for selected systems to ensure that they comprehensively test technical controls.

Agency: National Aeronautics and Space Administration
Status: Open
Priority recommendation

Comments: NASA concurred with the recommendation. The agency provided plans of action and milestones (POA&Ms) to address specific weaknesses that were overlooked in previous assessments; however, these POA&Ms do not address this recommendation. NASA needs to complete a re-evaluation of the security control assessments it has performed for the selected systems and take steps to ensure that such assessments include a comprehensive test of technical controls.
Recommendation: To improve agency information security programs, the Administrator of the National Aeronautics and Space Administration should update the continuous monitoring strategy to include metrics, ongoing status monitoring of metrics, and reporting of security status.

Agency: National Aeronautics and Space Administration
Status: Open
Priority recommendation

Comments: NASA concurred with the recommendation. NASA has issued an updated continuous monitoring strategy, but this strategy does not clearly identify specific metrics to be used. NASA needs to specify metrics it will use as part of its continuous monitoring efforts.
Recommendation: To improve agency information security programs, Acting Director of the Office of Personnel Management should update security plans for selected systems to ensure that all controls specific to high-impact systems are addressed, including a rationale if the control is not implemented, and where other plans are cross-referenced, ensure that the other system's plan appropriately addresses the control.

Agency: Office of Personnel Management
Status: Open
Priority recommendation

Comments: OPM concurred with our recommendation. The agency intends to migrate security plans to an automated system in order to improve management of security controls. OPM expects to complete this action in fiscal year 2018.
Recommendation: To improve agency information security programs, Acting Director of the Office of Personnel Management should provide and track specialized training for all individuals, including contractors, who have significant security responsibilities.

Agency: Office of Personnel Management
Status: Open
Priority recommendation

Comments: OPM concurred with our recommendation. As of July 2018, OPM was in the process of reviewing its procedures for identifying employees and contractors who directly access its information systems and reviewing the training requirements for those individuals, as well as specialized training requirements, and how compliance is tracked.
Recommendation: To improve agency information security programs, Acting Director of the Office of Personnel Management should re-evaluate security control assessments to ensure that they comprehensively test technical controls.

Agency: Office of Personnel Management
Status: Open
Priority recommendation

Comments: OPM did not concur with our recommendation. OPM is developing additional standards for evaluating technical-controls testing and will incorporate these standards into its oversight of security assessments, once the standards are complete. Subsequent to OPM informing us that it has re-evaluated tests of technical controls, we plan to verify the agency's actions.
Director: Joseph W. Kirschbaum
Phone: (202) 512-9971

1 open priority recommendation
Recommendation: To help improve DOD's planning and processes for supporting civil authorities in a cyber incident, the Secretary of Defense should direct the Under Secretary of Defense for Policy in coordination with the Chairman of the Joint Chiefs of Staff to issue or update guidance that clarifies roles and responsibilities for relevant entities and officials--including the DOD components, supported and supporting commands, and dual-status commander--to support civil authorities as needed in a cyber incident.

Agency: Department of Defense
Status: Open
Priority recommendation

Comments: The Department of Defense concurred with the recommendation and indicated that, in response, it would update existing agency guidance (e.g., doctrine, directives, instructions) or develop new guidance as appropriate. Since we issued our report, DOD has issued several guidance documents-including Directive Type Memorandum 17-007, Interim Policy and Guidance for Defense Support to Cyber Incident Response (June 2017); and Joint Publication 3-12, Cyberspace Operations (June 2018)-to prepare the department to provide support to civil authorities for a cyber incident. However, the Directive Type Memorandum did not identify or clarify which DOD combatant command (i.e. NORTHCOM and PACOM versus CYBERCOM) would serve as the supported versus supporting command or the roles and responsibilities of a dual-status commander when DOD is providing support to civil authorities for a cyber incident. Rather, the memorandum tasked Joint Staff to designate the command responsibilities. Also, this Directive Type Memorandum was effective for one year and expired in June 2018. DOD has drafted a DOD Instruction that will replace this memorandum. Similarly, DOD has drafted another DOD Instruction that will supposedly provide policy and guidance on the use of dual-status commanders when providing support to civil authorities in a cyber incident. Joint Publication 3-12 similarly does not clarify roles and responsibilities of combatant commands and the dual-status commander. Specifically, the joint publication states that when DHS requests support, the fundamental principles of DSCA used to respond to domestic emergencies in the physical domains also apply to cyberspace operations support. Per DOD's Unified Command Plan, NORTHCOM and PACOM are the supported commands for DSCA missions in the physical domain. However, Joint Publication 3-12 does not re-iterate those roles and responsibilities. Instead, when describing CYBERCOM's roles and responsibilities, it states that CYBERCOM could assume either supported or supporting command responsibilities based on the military order that is issued. When describing NORTHCOM and PACOM's roles and responsibilities, it states that those commands fulfill specific cyberspace operations responsibilities related to DSCA and homeland defense with CYBERCOM others, as required. While the publication re-iterates a basic DOD concept - DOD components should work together - the publication does not provide any clarification on which command will take lead in planning, coordination, and execution (i.e. supported command). Until DOD clarifies the roles and responsibilities of its key entities for cyber incidents, as we recommended, DOD will continue to experience uncertainty about the roles and responsibilities of different DOD components and commands with regard to providing support to civil authorities in the event of a significant cyber incident.