Recommendation: The FAA Administrator should direct the Associate Administrator for Aviation Safety to conduct a risk assessment of avionics systems cybersecurity to identify the relative priority of avionics cybersecurity risks for its oversight program compared to other safety concerns and develop a plan to address those risks. (Recommendation 1)

Agency: Department of Transportation: Federal Aviation Administration
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The FAA Administrator should direct the Associate Administrator for Aviation Safety, based on the assessment of avionics cybersecurity risks, to identify staffing and training needs for agency inspectors specific to avionics cybersecurity, and develop and implement appropriate training to address identified needs. (Recommendation 2)

Agency: Department of Transportation: Federal Aviation Administration
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The FAA Administrator should direct the Associate Administrator for Aviation Safety, based on the assessment of avionics cybersecurity risks, to develop and implement guidance for avionics cybersecurity testing of new airplane designs that includes independent testing. (Recommendation 3)

Agency: Department of Transportation: Federal Aviation Administration
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The FAA Administrator should direct the Associate Administrator for Aviation Safety, based on the assessment of avionics cybersecurity risks, to review and consider revising its policies and procedures for monitoring the effectiveness of avionics cybersecurity controls in the deployed fleet to include developing procedures for safely conducting independent testing. (Recommendation 4)

Agency: Department of Transportation: Federal Aviation Administration
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The FAA Administrator should direct the Associate Administrator for Aviation Safety to develop a mechanism to ensure that avionics cybersecurity issues are appropriately tracked and resolved when coordinating among internal stakeholders. (Recommendation 5)

Agency: Department of Transportation: Federal Aviation Administration
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The FAA Administrator should direct the Associate Administrator for Aviation Safety, based on the assessment of avionics cybersecurity risks, to review and consider the extent to which oversight resources should be committed to avionics cybersecurity. (Recommendation 6)

Agency: Department of Transportation: Federal Aviation Administration
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Chairman of the National Security Council, or his designee, should work with relevant federal entities to update strategy documents related to the nation's cybersecurity to better reflect desirable characteristics of a national strategy, to include:

• an assessment of cyber-related risk, based on an analysis of the threats to, and vulnerabilities of, critical assets and operations;

• measures of performance and formal mechanism to track progress of the execution of activities; and

• an analysis of the cost and resources needed to implement the National Cyber Strategy. (Recommendation 1)

Agency: Executive Office of the President: National Security Council
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: Congress should consider legislation to designate a leadership position in the White House with the commensurate authority—for example, over budgets and resources—to implement and encourage action in support of the nation's cyber critical infrastructure, including the implementation of the National Cyber Strategy. (Matter for Consideration 1)

Agency: Congress
Status: Open

Comments: When we determine what steps the Congress has taken, we will provide updated information.

Recommendation: Regarding financial sector cyber risk mitigation efforts, we recommend that the Secretary of the Treasury, in coordination with the Department of Homeland Security and other federal and nonfederal sector partners, track the content and progress of sectorwide cyber risk mitigation efforts, and prioritize their completion according to sector goals and priorities in the sector-specific plan. (Recommendation 1)

Agency: Department of the Treasury
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: Regarding the financial sector-specific plan, we recommend that the Secretary of the Treasury, in coordination with the Department of Homeland Security and other federal and nonfederal sector partners, update the financial services sector-specific plan to include specific metrics for measuring the progress of risk mitigation efforts and information on how the sector's ongoing and planned risk mitigation efforts will meet sector goals and requirements, such as requirements for the financial services sector in the National Cyber Strategy Implementation Plan. (Recommendation 2)

Agency: Department of the Treasury
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Defense should ensure that the DOD CIO takes appropriate steps to ensure implementation of the DC3I tasks. (Recommendation 1)

Agency: Department of Defense: Office of the Secretary of Defense
Status: Open
Priority recommendation

Comments: The Department of Defense partially concurred with this recommendation. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Defense should ensure that DOD components develop plans with scheduled completion dates to implement the four remaining CDIP tasks overseen by DOD CIO. (Recommendation 2)

Agency: Department of Defense: Office of the Secretary of Defense
Status: Open
Priority recommendation

Comments: The Department of Defense partially concurred with this recommendation. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Defense should ensure that the Deputy Secretary of Defense identifies a DOD component to oversee the implementation of the seven CDIP tasks not overseen by DOD CIO and report on progress implementing them. (Recommendation 3)

Agency: Department of Defense: Office of the Secretary of Defense
Status: Open
Priority recommendation

Comments: The Department of Defense did not concur with this recommendation. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Defense should ensure that DOD components accurately monitor and report information on the extent that users have completed the Cyber Awareness Challenge training as well as the number of users whose access to the network was revoked because they have not completed the training. (Recommendation 4)

Agency: Department of Defense: Office of the Secretary of Defense
Status: Open

Comments: The Department of Defense partially concurred with this recommendation. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Defense should ensure that the DOD CIO ensures all DOD components, including DARPA, require their users to take the Cyber Awareness Challenge training developed by DISA. (Recommendation 5)

Agency: Department of Defense: Office of the Secretary of Defense
Status: Open

Comments: The Department of Defense concurred with this recommendation. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Defense should direct a component to monitor the extent to which practices are implemented to protect the department's network from key cyberattack techniques. (Recommendation 6)

Agency: Department of Defense: Office of the Secretary of Defense
Status: Open
Priority recommendation

Comments: The Department of Defense did not concur with this recommendation. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Defense should ensure that the DOD CIO assesses the extent to which senior leaders' have more complete information to make risk-based decisions—and revise the recurring reports (or develop a new report) accordingly. Such information could include DOD's progress on implementing (a) cybersecurity practices identified in cyber hygiene initiatives and (b) cyber hygiene practices to protect DOD networks from key cyberattack techniques. (Recommendation 7)

Agency: Department of Defense: Office of the Secretary of Defense
Status: Open
Priority recommendation

Comments: The Department of Defense partially concurred with this recommendation. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The TSA Administrator should update the BASE cybersecurity template to ensure it reflects cybersecurity key practices, including the Detect and Recover functions outlined in the NIST Cybersecurity Framework. (Recommendation 2)

Agency: Department of Homeland Security: Transportation Security Administration
Status: Open

Comments: TSA concurred with this recommendation and said it would take steps to implement it by updating the BASE Cybersecurity Security Action Item section to ensure it reflects the NIST Cybersecurity Framework Detect and Recover functions. When we confirm what actions TSA has taken in response to this recommendation, we will provide updated information.

Recommendation: The CISA Director should ensure that the operations plan fully addresses all lines of effort in the strategic plan for securing election infrastructure for the upcoming elections. (Recommendation 2)

Agency: Department of Homeland Security: Cybersecurity and Infrastructure Security Agency
Status: Open

Comments: The agency agreed with the recommendation and has taken steps towards implementing it. Specifically, in March 2020 CISA finalized its operations plan for the 2020 elections. CISA's operations plan addresses one of the 13 objectives and key actions from the strategic plan -- monitor threat activity. While CISA's operations plan is to supplement the agency's strategy, the plan does not fully address any of the four lines of effort and the other 12 objectives outlined in the strategic plan. When examining the key actions for the remaining 12 objectives in the strategic plan, we were only able to confirm that 10 of the 27 key actions called for in those strategic plan objectives were fully addressed. We will continue to monitor the agency's progress in implementing our recommendation.

Recommendation: The CISA Director should document how the agency intends to address challenges identified in its prior election assistance efforts and incorporate appropriate remedial actions into the agency's 2020 planning. (Recommendation 3)

Agency: Department of Homeland Security: Cybersecurity and Infrastructure Security Agency
Status: Open

Comments: The agency agreed with the recommendation and has taken steps towards implementing it. We reported in February 2020 that CISA's strategic plan had only addressed three challenges from its external lessons learned review. Subsequently, CISA addressed two additional challenges in its operations plan, which was finalized in March 2020, and its election infrastructure subsector specific plan, which was updated in March 2020. CISA's plans addressed challenges regarding the agency's role in sharing and collecting intelligence across the election community and facilitating industry-wide vulnerability disclosures. However, CISA has not documented how the agency intends to address other identified challenges and how it will incorporate remedial actions into the agency's 2020 planning. We will continue to monitor the agency's progress in implementing our recommendation.

Recommendation: The Secretary of Homeland Security should develop a strategy to independently validate selected agencies' self-reported actions on meeting binding operational directive requirements, where feasible, using a risk-based approach. (Recommendation 2)

Agency: Department of Homeland Security: Office of the Secretary
Status: Open

Comments: DHS has drafted a preliminary strategy to independently validate agencies' actions, using a risk-based approach. However, this strategy has not yet been finalized and needs to more clearly align to the existing directive development process, to which it serves as an addendum. The strategy should include when and how primary and secondary sources of information for independent validation are selected within the directive development process.

Recommendation: The Secretary of Homeland Security should develop a schedule and plan for completing the high value asset program reassessment and addressing the outstanding issues on completing the required high value asset assessments, identifying needed resources, and finalizing guidance for Tier 2 and 3 HVA systems. (Recommendation 4)

Agency: Department of Homeland Security: Office of the Secretary
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary for Homeland Security should direct the Director of OTE to revise T&E policy or guidance as necessary to fully meet the key practice for programs to test that components and subsystems work together as a system in a controlled setting before finalizing a system's design. (Recommendation 1)

Agency: Department of Homeland Security
Status: Open

Comments: In providing comments on this report DHS concurred with our recommendation and stated that it planned to update its T&E policy to specify that acquisition programs demonstrate that components and subsystems work together before finalizing a system's design. In July 2020, DHS Test and Evaluation Division (TED) officials said they were in the process of updating the policy and that it was undergoing management review with an anticipated completion in fall 2020. Once finalized, GAO will evaluate the revised policy to determine whether DHS has met the intent of this recommendation.

Recommendation: The Secretary for Homeland Security should direct the Director of OTE, in coordination with OCPO, to develop an assessment process-including establishing performance measures-to help ensure T&E training achieves desired results. (Recommendation 2)

Agency: Department of Homeland Security
Status: Open

Comments: In providing comments on this report, DHS concurred with our recommendation and stated that it planned to assess the knowledge and skill requirements for the T&E workforce and establish performance goals for the training. DHS Test and Evaluation Division (TED), in coordination with OCPO, also plan to develop strategies to address any deficiencies with the current training that do not meet the identified requirements. In April 2020, TED officials said that they developed a new survey process to obtain recurring feedback from participants on the training's impact on their ability to perform T&E duties as assigned over time to inform the annual review of the T&E curriculum. However, this effort is still in a piloting stage so the extent to which this information is used to assess the training is still unknown at this time. As of July 2020, TED was still in the process of executing these efforts.

Recommendation: The Secretary for Homeland Security should direct the Director of OTE to revise T&E policy or guidance as necessary to specify when in the acquisition life cycle a major acquisition program manager should designate a level III certified T&E manager. (Recommendation 3)

Agency: Department of Homeland Security
Status: Open

Comments: In providing comments on this report DHS concurred with our recommendation and stated that it planned to update its T&E policy to specify when in the acquisition lifecycle acquisition program managers should designate a qualified T&E manager. In July 2020, DHS Test and Evaluation Division (TED) officials said they were in the process of revising the policy to include this specification and that it was undergoing management review with an anticipated completion in fall 2020. Once finalized, GAO will evaluate the revised policy to determine whether DHS has met the intent of this recommendation.

Recommendation: The Secretary for Homeland Security should direct the Director of OTE to establish an internal control process to ensure that data collected and maintained on major acquisition programs' T&E managers are reliable. (Recommendation 4)

Agency: Department of Homeland Security
Status: Open

Comments: In providing comments on this report, DHS concurred with our recommendation and stated that it planned to establish an internal control process to reliably collect and maintain data on acquisition programs' assigned test and evaluation managers. In April 2020, DHS Test and Evaluation Division (TED) reported taking steps to ensure the validity of this data including establishing points of contacts within each component to cross-check collected information for accuracy and having the Director review collected data on a quarterly basis beginning in third quarter fiscal year 2020. As of July 2020, TED was still in the process of improving its internal collection process, but had not completed these efforts.

Recommendation: The Secretary for Homeland Security should direct the Under Secretary for Science and Technology to assess OTE's workforce to ascertain the extent to which it has the appropriate number of staff with the necessary skills to fulfill its responsibilities. (Recommendation 5)

Agency: Department of Homeland Security
Status: Open

Comments: In providing comments on this report, DHS concurred with our recommendation and stated that it planned to assess the Test and Evaluation Division's (TED) workforce by reviewing current staffing levels and vacancies against the division's roles and responsibilities. The Senior Official Performing the Duties of the Under Secretary for Science and Technology plans to use the results of this review to inform strategic hiring in future years, if needed. In February 2020, DHS released its fiscal year 2020 strategic guidance memorandum for the Science and Technology (S&T) Directorate which included a statement pertaining to resourcing S&T's test and evaluation capabilities. However, as of July 2020, S&T had not yet conducted its review of TED's workforce.

Recommendation: The Secretary of Energy, in coordination with DHS and other relevant stakeholders, should develop a plan aimed at implementing the federal cybersecurity strategy for the electric grid and ensure that the plan addresses the key characteristics of a national strategy, including a full assessment of cybersecurity risks to the grid. (Recommendation 1)

Agency: Department of Energy
Status: Open
Priority recommendation

Comments: DOE agreed with our recommendation. In its response to our report, DOE stated that it was working through an interagency process to develop a National Cyber Strategy Implementation Plan that will consider DOE's Multiyear Plan for Energy Sector Cybersecurity. To fully address our recommendation, DOE should coordinate with DHS and other relevant stakeholders to develop a plan for implementing the federal cybersecurity strategy for the electric grid and ensure that the plan addresses the key characteristics of a national strategy.

Recommendation: FERC should consider our assessment and determine whether to direct the North American Electric Reliability Corporation (NERC) to adopt any changes to its cybersecurity standards to ensure those standards more fully address the NIST Cybersecurity framework and address current and projected risks. (Recommendation 2)

Agency: Federal Energy Regulatory Commission
Status: Open

Comments: In August 2020, FERC officials told GAO that the Commission assembled a team to conduct a technical analysis to develop a plan with appropriate next steps to address GAO's recommendations. As part of this effort, FERC issued two documents. In June 2020, FERC issued a Notice of Inquiry seeking comments on (1) whether NERC's cybersecurity standards adequately address certain NIST Cybersecurity Framework categories, and (2) whether modifications to the cybersecurity standards would be appropriate to address the potential risk of a coordinated cyberattack on geographically distributed targets. Additionally, in June 2020, FERC issued a white paper exploring a new framework for providing incentives to transmission facilities for cybersecurity investments that exceed the requirements of NERC's cybersecurity standards. The incentives are designed, in part, to incentivize cybersecurity investments by facilities that are not covered by NERC's cybersecurity standards, according to FERC officials. As of October 2020, this recommendation remains open.

Recommendation: FERC should (1) evaluate the potential risk of a coordinated cyberattack on geographically distributed targets and, (2) based on the results of that evaluation, determine whether to direct NERC to make any changes to the threshold for mandatory compliance with requirements in the full set of cybersecurity standards. (Recommendation 3)

Agency: Federal Energy Regulatory Commission
Status: Open

Comments: In August 2020, FERC officials told GAO that the Commission assembled a team to conduct a technical analysis to develop a plan with appropriate next steps to address GAO's recommendations. As part of this effort, FERC issued two documents. In June 2020, FERC issued a Notice of Inquiry seeking comments on (1) whether NERC's cybersecurity standards adequately address certain NIST Cybersecurity Framework categories, and (2) whether modifications to the cybersecurity standards would be appropriate to address the potential risk of a coordinated cyberattack on geographically distributed targets. Additionally, in June 2020, FERC issued a white paper exploring a new framework for providing incentives to transmission facilities for cybersecurity investments that exceed the requirements of NERC's cybersecurity standards. The incentives are designed, in part, to incentivize cybersecurity investments by facilities that are not covered by NERC's cybersecurity standards, according to FERC officials. As of October 2020, this recommendation remains open.

Recommendation: The Secretary of DHS should direct the appropriate staff to work with OMB to follow up with agencies to identify obstacles and impediments affecting their abilities to implement intrusion detection and prevention capabilities. (Recommendation 2)

Agency: Department of Homeland Security
Status: Open

Comments: DHS provided evidence in December 2019 but it was insufficient to close this recommendation. We will continue to follow-up with DHS.

Recommendation: The Director of OMB should submit the intrusion assessment plan to the appropriate congressional committees. (Recommendation 3)

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: As of January 2020, the Office of Management and Budget has not provided sufficient evidence to close this recommendation. We will continue to follow-up with OMB.

Recommendation: The Director of OMB should report on implementation of the defense-in-depth strategy described in the intrusion assessment plan, including all elements described in the plan. (Recommendation 4)

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: As of January 2020, the Office of Management and Budget has not provided sufficient evidence to close this recommendation. We will continue to follow-up with OMB.

Recommendation: The Director of OMB should update the analysis of agencies' intrusion detection and prevention capabilities to include the degree to which agencies are using NCPS. (Recommendation 5)

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: As of January 2020, the Office of Management and Budget has not provided sufficient evidence to close this recommendation. We will continue to follow-up with OMB.

Recommendation: The Director of OMB should direct the Federal CIO to update her report to Congress to include required information, such as detecting advanced persistent threats, a comparison of the costs and benefits of the capabilities versus commercial technologies and tools, and the capability of agencies to protect sensitive cyber threat indicators and defense measures. (Recommendation 6)

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: As of January 2020, the Office of Management and Budget has not provided sufficient evidence to close this recommendation. We will continue to follow-up with OMB.

Recommendation: The Director of OMB should direct the Federal CIO to work with DHS to follow-up with agencies to identify obstacles and impediments affecting their abilities to implement intrusion detection and prevention capabilities. (Recommendation 9)

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: As of January 2020, the Office of Management and Budget has not provided sufficient evidence to close this recommendation. We will continue to follow-up with OMB.

Recommendation: The TSA Administrator should direct the Security Policy and Industry Engagement's Surface Division to clarify TSA's Pipeline Security Guidelines by defining key terms within its criteria for determining critical facilities. (Recommendation 2)

Agency: Department of Homeland Security: Transportation Security Administration
Status: Open

Comments: As of June 2020, TSA reported that it completed a review of the Pipeline Security Guideline criteria for determining critical facilities. TSA sought and received pipeline stakeholder comments following their review of the criteria. According to TSA officials, TSA is sharing draft criteria with federal stakeholders and anticipates completion of the review by December 31, 2020. We will continue to monitor the status of TSA's activities to determine whether our recommendation is fully implemented.

Recommendation: The TSA Administrator should develop a strategic workforce plan for its Security Policy and Industry Engagement's Surface Division, which could include determining the number of personnel necessary to meet the goals set for its Pipeline Security Branch, as well as the knowledge, skills, and abilities, including cybersecurity, that are needed to effectively conduct Corporate Security Reviews (CSR) and Critical Facility Security Reviews (CFSR). (Recommendation 3)

Agency: Department of Homeland Security: Transportation Security Administration
Status: Open
Priority recommendation

Comments: As of June 2020, TSA reported that officials, including TSA's Office of Human Capital Strategic Planning, began collaborating to draft a strategic workforce plan for the pipeline security section of TSA. According to the officials, while this effort was delayed as TSA's Office of Human Capital needed focus on protecting TSA's workforce in response to the COVID-19 public health emergency, progress has been made. Phase one of a four-phase process began the week of 6/8/2020, with a Manpower Study to be completed by October 2020. The second phase will be a job skills/competency analysis and the third and fourth phases are position management and classification, and plan development and approval, respectively. TSA estimated completion of the workforce plan by June 30, 2021. We will continue to monitor the status of these efforts to develop a strategic workforce plan in response to this recommendation.

Recommendation: The TSA Administrator should direct the Security Policy and Industry Engagement's Surface Division to identify or develop other data sources relevant to threat, vulnerability, and consequence consistent with the National Infrastructure Protection Plan and DHS critical infrastructure risk mitigation priorities and incorporate that data into the Pipeline Relative Risk Ranking Tool to assess relative risk of critical pipeline systems, which could include data on prior attacks, natural hazards, feedback data on pipeline system performance, physical pipeline condition, and cross-sector interdependencies. (Recommendation 6)

Agency: Department of Homeland Security: Transportation Security Administration
Status: Open

Comments: As of June 2020, TSA officials reported meeting with representatives from the Department of Homeland Security (DHS) and the Federal Emergency Management Agency (FEMA) in February and March 2019 for their input on the identification of sources relevant to threat, vulnerability, and consequence consistent with the National Infrastructure Protection Plan and DHS critical infrastructure risk mitigation priorities. TSA officials also reported meeting with RAND personnel in March 2020 to discuss possible contract options for addressing this recommendation. Further action on this recommendation has been limited due to work on the COVID-19 response. We will continue to monitor the status of TSA's activities to determine whether our recommendation is fully implemented.

Recommendation: The TSA Administrator should direct the Security Policy and Industry Engagement's Surface Division to take steps to coordinate an independent, external peer review of its Pipeline Relative Risk Ranking Tool, after the Pipeline Security Branch completes enhancements to its risk assessment approach. (Recommendation 7)

Agency: Department of Homeland Security: Transportation Security Administration
Status: Open

Comments: As of June 2020, DHS officials reported that TSA will take steps to coordinate an independent, external peer review of its Pipeline Relative Risk Ranking Tool after addressing recommendations 4,5, and 6 of this report. DHS estimated that this effort would be completed by April 30, 2021.

Recommendation: The Director of the Defense Security Service should determine how it will collaborate with stakeholders as it pilots a new approach to overseeing contractors with cleared facilities (DSS in Transition), including identifying roles and responsibilities and the related resources needed. (Recommendation 1)

Agency: Department of Defense: Defense Security Service
Status: Open

Comments: DOD agreed with this recommendation and as of February 2019, stated that it continues to pilot DSS in Transition at cleared facilities and use information gathered from stakeholders, including key government and industry stakeholder organizations to refine the process. On August 12, 2020, DOD stated that DSS was in the process of drafting a Corrective Action Plan. At that time, DOD officials explained that this plan would be completed in the fourth quarter of fiscal year 2019. As of September 2020, this plan has not been completed.

Recommendation: To further improve security over personnel and other sensitive information at the agency, the Acting Director of OPM should improve the timeliness of validating evidence associated with actions taken to address the US-CERT recommendations.

Agency: Office of Personnel Management
Status: Open
Priority recommendation

Comments: OPM partially concurred with the recommendation. OPM has improved its POA&M management system. Using this system, the agency provided, on 08-27-19, milestones showing timely validation of evidence for closing one US-CERT recommendation. However, OPM has not provided support showing timely validation of 16 other US-CERT recommendations that it has closed. OPM needs to provide evidence of timely validation of these 16 completed recommendations, or evidence for the two US-CERT recommendations that remain open, once these two have been closed and validated. As of March 2020, OPM has not yet provided evidence of taking such actions.

Recommendation: To further improve security over personnel and other sensitive information at the agency, the Acting Director of OPM should develop and implement role-based training requirements for staff using Continuous Diagnostics and Mitigation tools.

Agency: Office of Personnel Management
Status: Open
Priority recommendation

Comments: OPM concurred with the recommendation. In December 2018, OPM stated that it is working with its learning management system vendor to develop role-based training requirements for its continuous monitoring program, but had not yet targeted an expected completion date. To fully implement the recommendation, OPM needs to issue role-based training requirements for individuals who configure and maintain the deployed continuous diagnostics and mitigation tools. As of March 2020, OPM has not yet provided evidence of taking such actions.

Recommendation: The Under Secretary of Defense for Intelligence, in coordination with the DOD Chief Information Officer, the Under Secretaries of Defense for Policy; Acquisition, Technology, and Logistics; and Personnel and Readiness; and with military service and agency stakeholders, should conduct operations security surveys that identify IoT security risks and protect DOD information and operations, in accordance with DOD guidance, or address operations security risks posed by IoT devices through other DOD risk assessments.

Agency: Department of Defense: Office of the Under Secretary of Defense for Intelligence
Status: Open

Comments: DOD concurred with this recommendation. We reached out to DOD in August 2018 on this recommendation and are awaiting their response.

Recommendation: The Principal Cyber Advisor, in coordination with the DOD Chief Information Officer; the Under Secretaries of Defense for Policy; Intelligence; Acquisition, Technology, and Logistics; and Personnel and Readiness; and with military service and agency stakeholders, should (1) review and assess existing departmental security policies and guidance--on cybersecurity, operations security, physical security, and information security--that may affect IoT devices; and (2) identify areas where new DOD policies and guidance may be needed--including for specific IoT devices, applications, or procedures--and where existing security policies and guidance can be updated to address IoT security concerns.

Agency: Department of Defense: Office of the Principal Cyber Advisor to the Secretary of Defense
Status: Open

Comments: DOD concurred with this recommendation. DOD has implemented one geo-location policy in 2018 relating to operations security that addresses a portion of this recommendation.

Recommendation: The Secretary of Energy, working with the Administrator of the National Nuclear Security Administration, should include more complete information on the assessments--that is, security plans, vulnerability assessments, independent assessments, and other assessments--used in the annual reports to support the agencies' assessments that DOE and NNSA sites are secure.

Agency: Department of Energy
Status: Open

Comments: We reported in May 2019 that DOE and NNSA continued to make progress in responding to this recommendation. The draft 2018 annual report contained, as recommended, more complete and uniform information on assessments, though in some cases different terminology was used by programs and sites. As of June 2020, we have requested final 2018, 2019, and 2020 annual reports from NNSA to ensure progress has continued. Once we have received and reviewed the reports, we will update the status of this recommendation.

Recommendation: Additionally, the Secretary of Energy should develop a plan for addressing the physical security infrastructure needs at DOE sites. Similar to a report under development by NNSA, this plan could identify cost and time frames and enable DOE and the Congress to prioritize these projects.

Agency: Department of Energy
Status: Open

Comments: As of June 2020, DOE has not implemented this recommendation. While DOE program offices (Environmental Management, Science, and Nuclear Energy) are individually considering long-term needs, the program offices are not required by Congress to submit the kind of physical security plan that Congress requires of NNSA. In the absence of Congressional direction, we believe it is unlikely that DOE will fully implement this recommendation.

Recommendation: Additionally, the Secretary of Energy should, in future annual security certification reports, inform Congress of the reasons for the delayed implementation of the June 2011 DOE material control and accountability order at some sites, as well as the steps DOE and its sites are taking to implement it. DOE should also provide Congress with information on any vulnerabilities or deficiencies in the security at sites that may potentially exist while the sites complete implementation of the order as well as information on any concomitant adjustment to their security posture that is required.

Agency: Department of Energy
Status: Open

Comments: As of June 2020, we are continuing to monitor actions related to this recommendation. DOE has acknowledged in a classified memorandum the security risks associated with the slow pace of the material control and accountability order. DOE has also developed a plan to implement measures to address these risks in a phased approach with final implementation sometime in the 2020s. Some of the early phases will be complete between 2019 and 2022, but others will extend beyond 2022. As such, it will be important for DOE to continue to report to Congress on residual risk until planned actions are fully completed and their implementation has been verified by the relevant DOE program offices and DOE's Office of Enterprise Assessments. We will update the status of this recommendation once we have we have received and reviewed DOE's classified 2018-2020 annual reports to ensure this action is taken.

Recommendation: To more fully address the requirements identified in the National Cybersecurity Protection Act of 2014 and the Cybersecurity Act of 2015, the Secretary of the Department of Homeland Security should develop metrics for assessing adherence to applicable principles in carrying out statutorily required functions.

Agency: Department of Homeland Security
Status: Open
Priority recommendation

Comments: For all eleven functions, DHS has measures that evaluate compliance with five (1, 2, 5, 6, 7) of the nine principles and considered whether measures and applicability were appropriate for the other four principles. In February 2020, DHS stated that it does not measure any functions' adherence with principle #8 related to safeguarding against unauthorized access or #9 regarding compliance with policies, regulations, and laws related to privacy and civil liberties. Specifically, the agency stated these two principles are a steady state consideration across all mission areas and functions and have no associated identified measure. For the remaining two principles, DHS did not provide measures that were related to prioritizing activities based on level of risk (#3) or ensuring that appropriate consideration of coordination with subject matter experts from industry, academia, and national labs (#4). As such, DHS does not have appropriate means for assessing the eleven functions against those two principles. However, in March 2020, DHS stated that the metrics for 2020 were different than those in 2019. Officials are in the process of creating a mapping between the previously provided metrics and those for 2020. We will review this mapping and determine if the aforementioned is still applicable with the new metrics.

Recommendation: To more fully address the requirements identified in the National Cybersecurity Protection Act of 2014 and the Cybersecurity Act of 2015, the Secretary of the Department of Homeland Security should establish methods for monitoring the implementation of cybersecurity functions against the principles on an ongoing basis.

Agency: Department of Homeland Security
Status: Open
Priority recommendation

Comments: For all 11 functions, DHS stated they have a means of evaluating compliance with five (1, 2, 5, 6, 7) of the nine principles. Once DHS provides specific evidence of data tracked in support of the aforementioned compliance measures, we will review to determine if they have closed this recommendation.

Recommendation: To more fully address the requirements identified in the National Cybersecurity Protection Act of 2014 and the Cybersecurity Act of 2015, the Secretary of the Department of Homeland Security should integrate information related to security incidents to provide management with more complete information about NCCIC operations.

Agency: Department of Homeland Security
Status: Open

Comments: In November 2018, DHS invited GAO to observe a vendor's demonstration of the anticipated Unified Workflow Solution (UWS) that officials stated could support closure of this recommendation, when implemented. In February 2020, DHS stated that their planning and design efforts are ongoing and are on track for deployment of a Minimal Viable Product in April 2020. Once DHS has developed and implemented the UWS, we will review their efforts to determine the extent to which the agency has integrated information related to security incidents.

Recommendation: To more fully address the requirements identified in the National Cybersecurity Protection Act of 2014 and the Cybersecurity Act of 2015, the Secretary of the Department of Homeland Security should determine the necessity of reducing, consolidating, or modifying the points of entry used to communicate with NCCIC to better ensure that all incident tickets are logged appropriately.

Agency: Department of Homeland Security
Status: Open

Comments: In March 2019, DHS said that they will provide GAO with a list of the entry points into the NCCIC service desk as well as the standard operating procedures (SOP) and process for quality assurance and quality control. Additionally, the development of the NCCIC Unified Workflow Solution (UWS) could impact this recommendation as well. In February 2020, DHS stated that their planning and design efforts are ongoing and are on track for deployment of a Minimal Viable Product in April 2020. Once DHS has developed and implemented the UWS, we will review their efforts to determine the extent to which the agency has integrated information related to security incidents.

Recommendation: To more fully address the requirements identified in the National Cybersecurity Protection Act of 2014 and the Cybersecurity Act of 2015, the Secretary of the Department of Homeland Security should take steps to ensure the full representation of the owners and operators of the nation's most critical cyber-dependent infrastructure assets.

Agency: Department of Homeland Security
Status: Open

Comments: In November 2019, DHS stated that while no alerts or advisories are sent only to Section 9 entities, they do have various forms and mechanisms that Section 9 entities receive cybersecurity information: through HSIN Communities of Interest, the CISCP program, the applicable Sector Specific Agencies, and the applicable Section Information Sharing and Analysis Centers. Further analysis of the membership of the aforementioned forums and mechanisms is needed to determine the extent of Section 9 representation.

Recommendation: To more fully address the requirements identified in the National Cybersecurity Protection Act of 2014 and the Cybersecurity Act of 2015, the Secretary of the Department of Homeland Security should establish plans and time frames for consolidating or integrating the legacy networks used by NCCIC analysts to reduce the need for manual data entry.

Agency: Department of Homeland Security
Status: Open

Comments: In November 2019 DHS stated that the legacy Help Desk and operational activity tracking tools continue to be assessed and requirements identified for configuration into the Unified Workflow Solution (UWS). In February 2020, DHS stated that their planning and design efforts are ongoing and are on track for deployment of a Minimal Viable Product in April 2020. Once DHS has developed and implemented the UWS, we will review their efforts to determine the extent to which the agency has integrated information related to security incidents.