The Department of Housing and Urban Development (HUD) is not effectively protecting sensitive information exchanged with external entities. Of four leading practices for such oversight, HUD did not address one practice and only minimally addressed the other three in its security and privacy policies and procedures. For example, HUD minimally addressed the first leading practice because its policy

The federal government has long identified the financial services sector as a critical component of the nation's infrastructure. The sector includes commercial banks, securities brokers and dealers, and providers of the key financial systems and services that support these functions. Altogether, the sector holds about $108 trillion in assets and faces a variety of cybersecurity-related risks. Key

Selected agencies—the Federal Aviation Administration, Indian Health Services, and Small Business Administration—had generally deployed tools intended to provide cybersecurity data to support the Department of Homeland Security's (DHS) Continuous Diagnostics and Mitigation (CDM) program. As depicted in the figure, the program relies on automated tools to identify hardware and software residin

The Office of Congressional Workplace Rights (OCWR) did not incorporate key cybersecurity management practices into the planning for its Secure Online Claims Reporting and Tracking E-filing System (SOCRATES) project. While OCWR drafted a SOCRATES project schedule, the office did not finalize and use this schedule to manage cybersecurity activities, such as the time frames for conducting informati

Federal agencies, including the Department of Veterans Affairs (VA), continue to have deficient information security programs. For example, in fiscal year 2018, inspectors general (IGs) used a five-level maturity model to rate agency information security policies, procedures, and practices related to the five core security functions—identify, protect, detect, respond, and recover—established

During fiscal year 2018, many federal agencies were often not adequately or effectively implementing their information security policies and practices. For example, most of the 16 agencies GAO selected for review had deficiencies related to implementing the eight elements of an agency-wide information security program required by the Federal Information Security Modernization Act of 2014 (FISMA).

Key practices for establishing an agency-wide cybersecurity risk management program include designating a cybersecurity risk executive, developing a risk management strategy and policies to facilitate risk-based decisions, assessing cyber risks to the agency, and establishing coordination with the agency's enterprise risk management (ERM) program. Although the 23 agencies GAO reviewed almost alwa

Of six important leading practices for effective business process reengineering and information technology (IT) requirements management, the Federal Emergency Management Agency (FEMA) fully implemented four and partially implemented two for the Grants Management Modernization (GMM) program. Specifically, FEMA ensured senior leadership commitment, took steps to assess its business environment and

The 23 civilian agencies covered by the Chief Financial Officers Act of 1990 (CFO Act) have often not effectively implemented the federal government's approach and strategy for securing information systems. Until agencies more effectively implement the government's approach and strategy, federal systems will remain at risk. To illustrate: (1) As required by Office of Management and Budget (OMB),

The Department of Education's Office of Federal Student Aid (FSA) partners with various entities ("non-school partners") that are involved primarily in supporting the repayment and collection of student loans. (1) Federal loan servicers are responsible for collecting payments on loans and providing customer service to borrowers on behalf of the Department of Education through its Direct Loan prog