Recommendation: The FAA Administrator should direct the Associate Administrator for Aviation Safety to conduct a risk assessment of avionics systems cybersecurity to identify the relative priority of avionics cybersecurity risks for its oversight program compared to other safety concerns and develop a plan to address those risks. (Recommendation 1)

Agency: Department of Transportation: Federal Aviation Administration
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The FAA Administrator should direct the Associate Administrator for Aviation Safety, based on the assessment of avionics cybersecurity risks, to identify staffing and training needs for agency inspectors specific to avionics cybersecurity, and develop and implement appropriate training to address identified needs. (Recommendation 2)

Agency: Department of Transportation: Federal Aviation Administration
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The FAA Administrator should direct the Associate Administrator for Aviation Safety, based on the assessment of avionics cybersecurity risks, to develop and implement guidance for avionics cybersecurity testing of new airplane designs that includes independent testing. (Recommendation 3)

Agency: Department of Transportation: Federal Aviation Administration
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The FAA Administrator should direct the Associate Administrator for Aviation Safety, based on the assessment of avionics cybersecurity risks, to review and consider revising its policies and procedures for monitoring the effectiveness of avionics cybersecurity controls in the deployed fleet to include developing procedures for safely conducting independent testing. (Recommendation 4)

Agency: Department of Transportation: Federal Aviation Administration
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The FAA Administrator should direct the Associate Administrator for Aviation Safety to develop a mechanism to ensure that avionics cybersecurity issues are appropriately tracked and resolved when coordinating among internal stakeholders. (Recommendation 5)

Agency: Department of Transportation: Federal Aviation Administration
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The FAA Administrator should direct the Associate Administrator for Aviation Safety, based on the assessment of avionics cybersecurity risks, to review and consider the extent to which oversight resources should be committed to avionics cybersecurity. (Recommendation 6)

Agency: Department of Transportation: Federal Aviation Administration
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of State should ensure that State involves federal agencies that contribute to cyber diplomacy to obtain their views and identify any risks, such as unnecessary fragmentation, overlap, and duplication of these efforts, as it implements its plan to establish the Bureau of Cyberspace Security and Emerging Technologies.

Agency: Department of State
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Chairman of the National Security Council, or his designee, should work with relevant federal entities to update strategy documents related to the nation's cybersecurity to better reflect desirable characteristics of a national strategy, to include:

• an assessment of cyber-related risk, based on an analysis of the threats to, and vulnerabilities of, critical assets and operations;

• measures of performance and formal mechanism to track progress of the execution of activities; and

• an analysis of the cost and resources needed to implement the National Cyber Strategy. (Recommendation 1)

Agency: Executive Office of the President: National Security Council
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: Congress should consider legislation to designate a leadership position in the White House with the commensurate authority—for example, over budgets and resources—to implement and encourage action in support of the nation's cyber critical infrastructure, including the implementation of the National Cyber Strategy. (Matter for Consideration 1)

Agency: Congress
Status: Open

Comments: When we determine what steps the Congress has taken, we will provide updated information.

Recommendation: The TSA Administrator should update the BASE cybersecurity template to ensure it reflects cybersecurity key practices, including the Detect and Recover functions outlined in the NIST Cybersecurity Framework. (Recommendation 2)

Agency: Department of Homeland Security: Transportation Security Administration
Status: Open

Comments: TSA concurred with this recommendation and said it would take steps to implement it by updating the BASE Cybersecurity Security Action Item section to ensure it reflects the NIST Cybersecurity Framework Detect and Recover functions. When we confirm what actions TSA has taken in response to this recommendation, we will provide updated information.

Recommendation: The Director of NIST should establish time frames for completing NIST's initiatives, to include the information security measurement program and the cybersecurity framework starter profile, to enable the identification of sector-wide improvements from using the framework in the protection of critical infrastructure from cyber threats. (Recommendation 1)

Agency: Department of Commerce: National Institute of Standards and Technology: Office of the Director
Status: Open

Comments: In written comments provided in July 2020, the Department of Commerce (Commerce) stated that it agreed with our recommendation. It noted that to further establish its Cybersecurity Measurement program, the National Institute of Standards and Technology (NIST) will document its Cybersecurity Measurement program's scope, objectives, and approach, including an inventory of existing measurement resources. Additionally, to further amplify small business awareness of cybersecurity, and of the Cybersecurity Framework, it noted that NIST will develop and publish two Cybersecurity Framework starter profiles tailored toward risk management of business processes important to small business owners. The expected completion date is September 2020.

Recommendation: The Secretary of Agriculture, in coordination with the Secretary of Health and Human Services, should take steps to consult with respective sector partner(s), such as the SCC, DHS, and NIST, as appropriate, to collect and report sector-wide improvements from use of the framework across its critical infrastructure sector using existing initiatives. (Recommendation 2)

Agency: Department of Agriculture
Status: Open

Comments: In written comments provided in April 2020, the United States Department of Agriculture (USDA) stated that it concurred with our recommendation. The department stated that it routinely shared framework guidance provided by the Department of Homeland Security and discussed the framework as part of its monthly Sector conference calls and biannual Sector Meetings. It also added that the department will continue to strengthen its coordination efforts.

Recommendation: The Secretary of Defense should take steps to consult with respective sector partner(s), such as the SCC, DHS, and NIST, as appropriate, to collect and report sector-wide improvements from use of the framework across its critical infrastructure sector using existing initiatives. (Recommendation 3)

Agency: Department of Defense: Office of the Secretary of Defense
Status: Open

Comments: In written comments provided in July 2020, the Department of Defense concurred with our recommendation. The department noted that it had developed processes and resources to help determine the type of framework adoption across the Defense Industrial Base. These include conducting assessments on the implementation of NIST Special Publication (SP) 800-171 , "Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations;" and releasing the Defense Industrial Base Implementation Guide for the NIST Cybersecurity Framework. However, the department has yet to report on sector-wide improvements using these processes and resources. Until it does so, its critical infrastructure sector may not fully understand the value of the framework to better protect its critical infrastructure from cyber threats. The expected completion dates are in September and November 2020.

Recommendation: The Secretary of Energy should take steps to consult with respective sector partner(s), such as the SCC, DHS, and NIST, as appropriate, to collect and report sector-wide improvements from use of the framework across its critical infrastructure sector using existing initiatives. (Recommendation 4)

Agency: Department of Energy: Office of the Secretary
Status: Open

Comments: In written comments provided in February 2020, the Department of Energy (DOE) stated that it partially agreed with our recommendation. It noted that DOE will coordinate with the Energy Sector to develop an understanding of sector-wide improvements from use of the framework. The expected completion date is December 2021.

Recommendation: The Administrator of the Environmental Protection Agency should take steps to consult with respective sector partner(s), such as the SCC, DHS, and NIST, as appropriate, to collect and report sector-wide improvements from use of the framework across its critical infrastructure sector using existing initiatives. (Recommendation 5)

Agency: Environmental Protection Agency
Status: Open

Comments: In written comments provided in July 2020, the Environmental Protection Agency (EPA) stated that it agreed with our recommendation. It noted that it will consult with the Water Sector Coordinating Council, the Department of Homeland Security, and the National Institute of Standards and Technology, as appropriate, to investigate options to collect and report sector-wide improvements, consistent with statutory requirements and the Sector's willingness to participate. However, the department did not provide a timeframe for completing these actions.

Recommendation: The Administrator of the General Services Administration, in coordination with the Secretary of Homeland Security, should take steps to consult with respective sector partner(s), such as the Coordinating Council and NIST, as appropriate, to collect and report sector-wide improvements from use of the framework across its critical infrastructure sector using existing initiatives. (Recommendation 6)

Agency: General Services Administration: Office of the Administrator
Status: Open

Comments: In April 2020, the General Services Administration (GSA), in coordination with its co-SSA, the Department of Homeland Security (DHS), provided documentation demonstrating that it had initiated steps to collect and report on sector-wide improvements from use of the NIST Cybersecurity Framework across its critical infrastructure sector. Specifically, the agencies from the government sector had submitted their risk management reports to DHS and OMB that described agencies' action plans to implement the framework, as required under Executive Order 13800 and evaluated the agencies against the five functions of the NIST Cybersecurity Framework: Identify, Detect, Protect, Respond, and Recover. The risk management reports are included as part of OMB's FISMA Annual Report to Congress. According to OMB's FISMA Annual Report to Congress, OMB and DHS determined that 71 of 96 agencies (74 percent) have cybersecurity programs that are either at risk or high risk. As a result, improvements were identified in the form of four core actions in the Federal Cybersecurity Risk Determination Report and Action Plan, which include: (1) Implementing the Cyber Threat Framework to increase cybersecurity threat awareness among Federal agencies, (2) Standardize IT and cybersecurity capabilities, (3) Consolidate agency SOCs to improve incident detection and response capabilities, and (4) Drive accountability across agencies through improved governance processes, recurring risk assessments, and OMB's engagements with agency leadership. We are waiting for additional information from GSA and DHS on the status of the four core actions.

Recommendation: The Secretary of Health and Human Services, in coordination with the Secretary of Agriculture, should take steps to consult with respective sector partner(s), such as the SCC, DHS, and NIST, as appropriate, to collect and report sector-wide improvements from use of the framework across its critical infrastructure sector using existing initiatives. (Recommendation 7)

Agency: Department of Health and Human Services: Office of the Secretary
Status: Open

Comments: In written comments provided in January 2020, the Department of Health and Human Services (HHS) stated that it concurred with our recommendation. The department noted that it would work with the appropriate entities to refine and communicate best practices to the sector.

Recommendation: The Secretary of Homeland Security should take steps to consult with respective sector partner(s), such as the SCC and NIST, as appropriate, to collect and report sector-wide improvements from use of the framework across its critical infrastructure sectors using existing initiatives. (Recommendation 8)

Agency: Department of Homeland Security: Office of the Secretary
Status: Open

Comments: In written comments provided in February 2020, the Department of Homeland Security (DHS) stated that it agreed with our recommendation. It noted that in coordination with the IT Sector Coordinating Council, the department recently issued a survey to small and mid-sized IT sector partners to better understand framework adoption and use within the IT sector. Once the results of the survey are received, DHS's Cybersecurity and Infrastructure Security Agency will determine the feasibility of issuing similar surveys to other sectors, and the potential timelines for completing sector-specific survey modifications, issuing surveys, compiling responses, and developing white papers on the status of framework adoption for each sector. The department expects completion of this work by December 31, 2021.

Recommendation: The Secretary of Transportation, in coordination with the Secretary of Homeland Security, should take steps to consult with respective sector partner(s) such as the SCC and NIST, as appropriate, to collect and report sector-wide improvements from use of the framework across its critical infrastructure sector using existing initiatives. (Recommendation 9)

Agency: Department of Transportation: Office of the Secretary
Status: Open

Comments: In written comments provided in April 2020, the Department of Transportation (DOT) stated that it concurred with our recommendation. It noted that the department (through the Office of the Secretary, Office of Intelligence, Security, and Emergency Response) and the Department of Homeland Security (through the Transportation Security Administration and United States Coast Guard) will coordinate as Co-Sector-Specific Agencies for the Transportation Systems Sector to finalize the development and distribution of a survey instrument to determine the level and type of framework adoption in the Sector. The department expects completion of this work by December 31, 2021.

Recommendation: The Secretary of the Treasury should take steps to consult with respective sector partner(s), such as the SCC, DHS, and NIST, as appropriate, to collect and report sector-wide improvements from use of the framework across its critical infrastructure sector using existing initiatives. (Recommendation 10)

Agency: Department of the Treasury: Office of the Secretary
Status: Open

Comments: In written comments provided in January 2020, the Department of the Treasury (Treasury) stated that it agreed with our recommendation. The department noted that it will assess using the identified initiatives and their viability for collecting and reporting sector-wide improvements from the use of the NIST Framework. The department did not provide a timeframe for completing these actions.

Recommendation: The Secretary for Homeland Security should direct the Director of OTE to revise T&E policy or guidance as necessary to fully meet the key practice for programs to test that components and subsystems work together as a system in a controlled setting before finalizing a system's design. (Recommendation 1)

Agency: Department of Homeland Security
Status: Open

Comments: In providing comments on this report DHS concurred with our recommendation and stated that it planned to update its T&E policy to specify that acquisition programs demonstrate that components and subsystems work together before finalizing a system's design. In July 2020, DHS Test and Evaluation Division (TED) officials said they were in the process of updating the policy and that it was undergoing management review with an anticipated completion in fall 2020. Once finalized, GAO will evaluate the revised policy to determine whether DHS has met the intent of this recommendation.

Recommendation: The Secretary for Homeland Security should direct the Director of OTE, in coordination with OCPO, to develop an assessment process-including establishing performance measures-to help ensure T&E training achieves desired results. (Recommendation 2)

Agency: Department of Homeland Security
Status: Open

Comments: In providing comments on this report, DHS concurred with our recommendation and stated that it planned to assess the knowledge and skill requirements for the T&E workforce and establish performance goals for the training. DHS Test and Evaluation Division (TED), in coordination with OCPO, also plan to develop strategies to address any deficiencies with the current training that do not meet the identified requirements. In April 2020, TED officials said that they developed a new survey process to obtain recurring feedback from participants on the training's impact on their ability to perform T&E duties as assigned over time to inform the annual review of the T&E curriculum. However, this effort is still in a piloting stage so the extent to which this information is used to assess the training is still unknown at this time. As of July 2020, TED was still in the process of executing these efforts.

Recommendation: The Secretary for Homeland Security should direct the Director of OTE to revise T&E policy or guidance as necessary to specify when in the acquisition life cycle a major acquisition program manager should designate a level III certified T&E manager. (Recommendation 3)

Agency: Department of Homeland Security
Status: Open

Comments: In providing comments on this report DHS concurred with our recommendation and stated that it planned to update its T&E policy to specify when in the acquisition lifecycle acquisition program managers should designate a qualified T&E manager. In July 2020, DHS Test and Evaluation Division (TED) officials said they were in the process of revising the policy to include this specification and that it was undergoing management review with an anticipated completion in fall 2020. Once finalized, GAO will evaluate the revised policy to determine whether DHS has met the intent of this recommendation.

Recommendation: The Secretary for Homeland Security should direct the Director of OTE to establish an internal control process to ensure that data collected and maintained on major acquisition programs' T&E managers are reliable. (Recommendation 4)

Agency: Department of Homeland Security
Status: Open

Comments: In providing comments on this report, DHS concurred with our recommendation and stated that it planned to establish an internal control process to reliably collect and maintain data on acquisition programs' assigned test and evaluation managers. In April 2020, DHS Test and Evaluation Division (TED) reported taking steps to ensure the validity of this data including establishing points of contacts within each component to cross-check collected information for accuracy and having the Director review collected data on a quarterly basis beginning in third quarter fiscal year 2020. As of July 2020, TED was still in the process of improving its internal collection process, but had not completed these efforts.

Recommendation: The Secretary for Homeland Security should direct the Under Secretary for Science and Technology to assess OTE's workforce to ascertain the extent to which it has the appropriate number of staff with the necessary skills to fulfill its responsibilities. (Recommendation 5)

Agency: Department of Homeland Security
Status: Open

Comments: In providing comments on this report, DHS concurred with our recommendation and stated that it planned to assess the Test and Evaluation Division's (TED) workforce by reviewing current staffing levels and vacancies against the division's roles and responsibilities. The Senior Official Performing the Duties of the Under Secretary for Science and Technology plans to use the results of this review to inform strategic hiring in future years, if needed. In February 2020, DHS released its fiscal year 2020 strategic guidance memorandum for the Science and Technology (S&T) Directorate which included a statement pertaining to resourcing S&T's test and evaluation capabilities. However, as of July 2020, S&T had not yet conducted its review of TED's workforce.

Recommendation: The Secretary of Energy, in coordination with DHS and other relevant stakeholders, should develop a plan aimed at implementing the federal cybersecurity strategy for the electric grid and ensure that the plan addresses the key characteristics of a national strategy, including a full assessment of cybersecurity risks to the grid. (Recommendation 1)

Agency: Department of Energy
Status: Open
Priority recommendation

Comments: DOE agreed with our recommendation. In its response to our report, DOE stated that it was working through an interagency process to develop a National Cyber Strategy Implementation Plan that will consider DOE's Multiyear Plan for Energy Sector Cybersecurity. To fully address our recommendation, DOE should coordinate with DHS and other relevant stakeholders to develop a plan for implementing the federal cybersecurity strategy for the electric grid and ensure that the plan addresses the key characteristics of a national strategy.

Recommendation: FERC should consider our assessment and determine whether to direct the North American Electric Reliability Corporation (NERC) to adopt any changes to its cybersecurity standards to ensure those standards more fully address the NIST Cybersecurity framework and address current and projected risks. (Recommendation 2)

Agency: Federal Energy Regulatory Commission
Status: Open

Comments: In August 2020, FERC officials told GAO that the Commission assembled a team to conduct a technical analysis to develop a plan with appropriate next steps to address GAO's recommendations. As part of this effort, FERC issued two documents. In June 2020, FERC issued a Notice of Inquiry seeking comments on (1) whether NERC's cybersecurity standards adequately address certain NIST Cybersecurity Framework categories, and (2) whether modifications to the cybersecurity standards would be appropriate to address the potential risk of a coordinated cyberattack on geographically distributed targets. Additionally, in June 2020, FERC issued a white paper exploring a new framework for providing incentives to transmission facilities for cybersecurity investments that exceed the requirements of NERC's cybersecurity standards. The incentives are designed, in part, to incentivize cybersecurity investments by facilities that are not covered by NERC's cybersecurity standards, according to FERC officials. As of October 2020, this recommendation remains open.

Recommendation: FERC should (1) evaluate the potential risk of a coordinated cyberattack on geographically distributed targets and, (2) based on the results of that evaluation, determine whether to direct NERC to make any changes to the threshold for mandatory compliance with requirements in the full set of cybersecurity standards. (Recommendation 3)

Agency: Federal Energy Regulatory Commission
Status: Open

Comments: In August 2020, FERC officials told GAO that the Commission assembled a team to conduct a technical analysis to develop a plan with appropriate next steps to address GAO's recommendations. As part of this effort, FERC issued two documents. In June 2020, FERC issued a Notice of Inquiry seeking comments on (1) whether NERC's cybersecurity standards adequately address certain NIST Cybersecurity Framework categories, and (2) whether modifications to the cybersecurity standards would be appropriate to address the potential risk of a coordinated cyberattack on geographically distributed targets. Additionally, in June 2020, FERC issued a white paper exploring a new framework for providing incentives to transmission facilities for cybersecurity investments that exceed the requirements of NERC's cybersecurity standards. The incentives are designed, in part, to incentivize cybersecurity investments by facilities that are not covered by NERC's cybersecurity standards, according to FERC officials. As of October 2020, this recommendation remains open.

Recommendation: The Director of OMB should, in coordination with the Secretary of Homeland Security, establish guidance or other means to facilitate the sharing of successful approaches for agencies to address challenges in the areas of (1) managing competing priorities between cybersecurity and operations, such as when operational needs appear to conflict with cybersecurity requirements; (2) implementing consistent cybersecurity risk management policies and procedures across an agency; (3) incorporating cyber risks into enterprise risk management, and (4) establishing agencies' cybersecurity risk management strategies. (Recommendation 1)

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: The Office of Management and Budget did not say whether or not it concurred with this recommendation. As of January 2020, we had not received information pertaining to this recommendation. Once OMB has provided information, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of Agriculture should develop a cybersecurity risk management strategy that includes the key elements identified in this report. (Recommendation 2)

Agency: Department of Agriculture
Status: Open
Priority recommendation

Comments: The Department of Agriculture did not state whether or not it concurred with this recommendation. As of February 2020, the department stated that it is developing a Risk Management Framework implementation plan, which is to include a comprehensive Cybersecurity Strategy. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of Agriculture should update the department's policies to require (1) the use of risk assessments to inform security control tailoring and (2) the use of risk assessments to inform plan of actions and milestones (POA&M) prioritization. (Recommendation 3)

Agency: Department of Agriculture
Status: Open

Comments: The Department of Agriculture did not state whether or not it concurred with this recommendation. As of February 2020, the department stated that it is developing a Risk Management Framework implementation plan which will include updates to USDA's process guide to ensure informed security control tailoring and updates to USDA's Plan of Actions and Milestones (POA&M) Standard Operation Procedure to inform prioritized POA&M mitigation strategies, through a consistent and repeatable security risk assessment process. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of Agriculture should establish and document a process for coordination between cybersecurity risk management and enterprise risk management functions. (Recommendation 4)

Agency: Department of Agriculture
Status: Open
Priority recommendation

Comments: The Department of Agriculture did not state whether or not it concurred with this recommendation. As of February 2020, the department stated that it plans to establish a governance framework for USDA Enterprise Risk Management (ERM), which will provide a platform to increase coordination between stakeholders within the cybersecurity and enterprise risk management functions. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of Commerce should update the department's policies to require (1) an organization-wide cybersecurity risk assessment and (2) the use of risk assessments to inform POA&M prioritization. (Recommendation 5)

Agency: Department of Commerce
Status: Open

Comments: The Department of Commerce did not state whether or not it concurred with this recommendation. As of January 2020, we had not received information pertaining to planned actions for this recommendation. Once the department states that it has taken action, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of Commerce should establish a process for conducting an organization-wide cybersecurity risk assessment. (Recommendation 6)

Agency: Department of Commerce
Status: Open
Priority recommendation

Comments: The Department of Commerce did not state whether or not it concurred with this recommendation. As of February 2020, the department stated that its intends to evaluate whether there are any gaps in its cybersecurity policy pertaining to the establishment of an organization-wide cybersecurity risk assessment and will establish a plan to fill in gaps as necessary. The department added that it is making strides in the implementation of a tool that can aggregate data into a dashboard for a unified visibility across the department. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of Energy should develop a cybersecurity risk management strategy that includes the key elements identified in this report. (Recommendation 8)

Agency: Department of Energy
Status: Open
Priority recommendation

Comments: The Department of Energy concurred with this recommendation. As of January 2020, the department stated that it was developing a department-wide risk management plan, to include a risk management strategy, and this would be completed by May 31, 2020. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of Health and Human Services should develop a cybersecurity risk management strategy that includes the key elements identified in this report. (Recommendation 10)

Agency: Department of Health and Human Services
Status: Open
Priority recommendation

Comments: The Department of Health and Human Services concurred with this recommendation. As of January 2020, HHS stated that it is drafting a cybersecurity risk management memo that will detail its risk management strategy, including how the department will assess, respond to, and monitor risk. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of Health and Human Services should update the department's policies to require (1) an organization-wide cybersecurity risk assessment and (2) the use of risk assessments to inform security control tailoring. (Recommendation 11)

Agency: Department of Health and Human Services
Status: Open

Comments: The Department of Health and Human Services partially concurred with this recommendation. As of January 2020, HHS stated that it is in the process of updating its policies to address the missing elements and plans to finalize the revisions by March 2021. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of Health and Human Services should establish a process for conducting an organization-wide cybersecurity risk assessment. (Recommendation 12)

Agency: Department of Health and Human Services
Status: Open
Priority recommendation

Comments: The Department of Health and Human Services concurred with this recommendation. As of January 2020, HHS stated that it is drafting a cybersecurity risk management memo and capability model that will include a process for an organization-wide assessment of cybersecurity risk. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of Homeland Security should develop a cybersecurity risk management strategy that includes the key elements identified in this report. (Recommendation 14)

Agency: Department of Homeland Security
Status: Open
Priority recommendation

Comments: The Department of Homeland Security concurred with this recommendation. As of January 2020, the department stated that it was in the process of developing an enterprise-wide Cybersecurity Risk Management Strategy that will define cybersecurity risk tolerance thresholds and promote inclusion of cybersecurity risk management into the Department's overall risk management capabilities. The estimated completion date for this effort is July 31, 2020. Once the department states that it has taken action, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of Homeland Security should establish and document a process for coordination between cybersecurity risk management and enterprise risk management functions. (Recommendation 15)

Agency: Department of Homeland Security
Status: Open
Priority recommendation

Comments: The Department of Homeland Security concurred with this recommendation. As of January 2020, the department stated that, once developed, its Cybersecurity Risk Management Strategy will incorporate clarifications of the cybersecurity risk executive's role and will be coordinated with the DHS Office of the Chief Financial Officer, other offices within the DHS Management Directorate, and Department Components, as appropriate. The department estimated completing this effort by July 31, 2020. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of Housing and Urban Developing should develop a cybersecurity risk management strategy that includes the key elements identified in this report. (Recommendation 16)

Agency: Department of Housing and Urban Development
Status: Open
Priority recommendation

Comments: The Department of Housing and Urban Development concurred with this recommendation. As of January 2020, the department said it planned to develop a cybersecurity risk management strategy that will determine how cybersecurity risks will be identified, framed, assessed, respond to, and monitored. The Department estimated completing this effort by August 2020. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of the Interior should establish and document a process for coordination between cybersecurity risk management and enterprise risk management functions. (Recommendation 20)

Agency: Department of the Interior
Status: Open
Priority recommendation

Comments: The Department of the Interior concurred with this recommendation. As of January 2020, the department stated that it cybersecurity and enterprise risk management teams would establish a process for bi-directional communication and status reporting. The Department estimated completing this effort by July 31, 2020. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Attorney General should develop a cybersecurity risk management strategy that includes the key elements identified in this report. (Recommendation 21)

Agency: Department of Justice
Status: Open
Priority recommendation

Comments: In its comments on our draft report, the Department of Justice did not state whether it concurred with this recommendation. As of January 2020, . the department reported that it had an integrated strategy for identifying, prioritizing, assessing, responding to, monitoring, and reporting on cybersecurity risks. Once the department states that it has taken action, we plan to verify whether implementation has occurred.

Recommendation: The Attorney General should fully establish and document a process for coordination between cybersecurity risk management and enterprise risk management functions. (Recommendation 22)

Agency: Department of Justice
Status: Open
Priority recommendation

Comments: In its comments on our draft report, the Department of Justice did not state whether or not it concurred with this recommendation. As of January 2020, the department stated that it is developing an ongoing mechanism to institutionalize coordination between its cybersecurity and ERM functions in fiscal year 2020. Once the department states that it has taken action, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of Labor should update the department's policies to require (1) the use of risk assessments to inform control tailoring and (2) the use of risk assessments to inform POA&M prioritization. (Recommendation 23)

Agency: Department of Labor
Status: Open

Comments: The Department of Labor concurred with this recommendation. As of January 2020, we had not received information pertaining to this recommendation. Once the department states that it has taken action, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of State should update the department's policies to require (1) an organization-wide risk assessment, (2) an organization-wide strategy for monitoring control effectiveness, (3) system-level risk assessments, (4) the use of risk assessments to inform security control tailoring, and (5) the use of risk assessments to inform POA&M prioritization. (Recommendation 24)

Agency: Department of State
Status: Open

Comments: The Department of State concurred with this recommendation. As of January 2020, the department stated that it is actively working to update the applicable policies and procedures. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of State should establish and document a process for coordination between cybersecurity risk management and enterprise risk management functions. (Recommendation 25)

Agency: Department of State
Status: Open
Priority recommendation

Comments: The Department of State concurred with this recommendation. As of January 2020, the department stated that it is actively working to update the applicable policies and procedures. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of Transportation should fully develop a cybersecurity risk management strategy that includes the key elements identified in this report. (Recommendation 26)

Agency: Department of Transportation
Status: Open
Priority recommendation

Comments: The Department of Transportation concurred with this recommendation. As of January 2020, the department stated that it would update its cybersecurity risk management strategy to include the identified missing elements. The Department estimated completing this effort by October 1, 2020. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of Transportation should update the department's policies to require an organization-wide risk assessment. (Recommendation 27)

Agency: Department of Transportation
Status: Open

Comments: The Department of Transportation concurred with this recommendation. As of January 2020, the department stated that it would update it policies and procedures to require an organization-wide cybersecurity risk assessment. The Department estimated completing this effort by July 1, 2020. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of the Treasury should develop a cybersecurity risk management strategy that includes the key elements identified in this report. (Recommendation 29)

Agency: Department of the Treasury
Status: Open
Priority recommendation

Comments: The Department of the Treasury did not state whether or not it concurred with this recommendation. As of January 2020, we had not received information pertaining to this recommendation. Once the department has provided information, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of the Treasury should establish a process for conducting an organization-wide cybersecurity risk assessment. (Recommendation 30)

Agency: Department of the Treasury
Status: Open
Priority recommendation

Comments: The Department of the Treasury did not state whether or not it concurred with this recommendation. As of January 2020, we had not received information pertaining to this recommendation. Once the department has provided information, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of the Treasury should establish and document a process for coordination between cybersecurity risk management and enterprise risk management functions. (Recommendation 31)

Agency: Department of the Treasury
Status: Open

Comments: The Department of the Treasury did not state whether or not it concurred with this recommendation. As of January 2020, we had not received information pertaining to this recommendation. Once the department has provided information, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of Veterans Affairs should develop a cybersecurity risk management strategy that includes the key elements identified in this report. (Recommendation 32)

Agency: Department of Veterans Affairs
Status: Open
Priority recommendation

Comments: The Department of Veterans Affairs concurred with this recommendation. As of January 2020, the department stated that it plans to develop a comprehensive risk management strategy in accordance with its updated cybersecurity program directive and plans to finalize the strategy by June 30, 2020. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of Veterans Affairs should update the department's policies to require an organization-wide cybersecurity risk assessment. (Recommendation 33)

Agency: Department of Veterans Affairs
Status: Open

Comments: The Department of Veterans Affairs concurred with this recommendation. As of January 2020, VA stated that it plans to incorporate this requirement into its updated policies by June 30, 2020. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of Veterans Affairs should establish a process for conducting an organization-wide cybersecurity risk assessment. (Recommendation 34)

Agency: Department of Veterans Affairs
Status: Open
Priority recommendation

Comments: The Department of Veterans Affairs concurred with this recommendation. As of January 2020, VA stated that it plans to fully document its process for an organization-wide cybersecurity risk assessment by June 30, 2020. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of Veterans Affairs should establish and document a process for coordination between cybersecurity risk management and enterprise risk management functions. (Recommendation 35)

Agency: Department of Veterans Affairs
Status: Open

Comments: The Department of Veterans Affairs concurred with this recommendation. As of January 2020, VA described efforts under way to institutionalize coordination between cybersecurity and enterprise risk management functions and stated that this coordination will be documented in detail by June 30, 2020. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Administrator of the Environmental Protection Agency (EPA) should fully develop a cybersecurity risk management strategy that includes the key elements identified in this report. (Recommendation 38)

Agency: Environmental Protection Agency
Status: Open
Priority recommendation

Comments: The Environmental Protection Agency did not state whether or not it concurred with this recommendation. As of January 2020, EPA stated that its strategic plans are under review beginning in the fourth quarter of fiscal year 2020. Once the agency has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Administrator of EPA should update the agency's policies to require an organization-wide cybersecurity risk assessment. (Recommendation 39)

Agency: Environmental Protection Agency
Status: Open

Comments: The Environmental Protection Agency did not state whether or not it concurred with this recommendation. As of January 2020, EPA stated that it is establishing a process to review, update, and reissue its policies. Once the agency has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Administrator of EPA should establish a process for conducting an organization-wide cybersecurity risk assessment. (Recommendation 40)

Agency: Environmental Protection Agency
Status: Open
Priority recommendation

Comments: The Environmental Protection Agency did not state whether or not it concurred with this recommendation. As of January 2020, we had not received information pertaining to this recommendation. Once the agency has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Administrator of EPA should fully establish and document a process for coordination between cybersecurity risk management and enterprise risk management functions. (Recommendation 41)

Agency: Environmental Protection Agency
Status: Open

Comments: The Environmental Protection Agency did not state whether or not it concurred with this recommendation. As of January 2020, we had not received information pertaining to this recommendation. Once the agency has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Administrator of General Services should establish a process for conducting an organization-wide cybersecurity risk assessment. (Recommendation 44)

Agency: General Services Administration
Status: Open
Priority recommendation

Comments: The General Services Administration concurred with this recommendation. As of January 2020, the agency stated that it would establish a process for conducting an organization-wide cybersecurity risk assessment. The administration estimated completing this effort by June 30, 2020. Once the administration has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Administrator of the National Aeronautics and Space Administration (NASA) should update the agency's policies to require (1) an organization-wide risk assessment and (2) the use of risk assessments to inform POA&M prioritization. (Recommendation 46)

Agency: National Aeronautics and Space Administration
Status: Open

Comments: NASA concurred with this recommendation. As of January 2020, the agency stated that it is working to address gaps in its cybersecurity policy. Once NASA has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Administrator of NASA should establish a process for conducting an organization-wide cybersecurity risk assessment. (Recommendation 47)

Agency: National Aeronautics and Space Administration
Status: Open
Priority recommendation

Comments: NASA concurred with this recommendation. As of January 2020, NASA stated that the agency is in the process of documenting its process for conducting an organization-wide cybersecurity risk assessment. NASA's planned completion date for this effort is September 30, 2020. Once NASA has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Chairman of NRC should update the agency's policies to require (1) an organization-wide cybersecurity risk assessment and (2) the use of risk assessments to inform POA&M prioritization. (Recommendation 50)

Agency: Nuclear Regulatory Commission
Status: Open

Comments: NRC concurred with this recommendation. As of January 2020, we had not received information pertaining to this recommendation. Once the commission has provided information, we plan to verify whether implementation has occurred.

Recommendation: The Chairman of NRC should establish and document a process for coordination between cybersecurity risk management and enterprise risk management functions. (Recommendation 52)

Agency: Nuclear Regulatory Commission
Status: Open

Comments: NRC concurred with this recommendation. As of January 2020, we had not received information pertaining to this recommendation. Once the commission has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Director of the Office of Personnel Management (OPM) should update the agency's policies to require (1) an organization-wide cybersecurity risk assessment and (2) the use of risk assessments to inform control tailoring. (Recommendation 53)

Agency: Office of Personnel Management
Status: Open

Comments: OPM concurred with this recommendation. As of January 2020, OPM stated that it planned to update its policies to address the missing elements. Once OPM has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Director of OPM should establish a process for conducting an organization-wide cybersecurity risk assessment. (Recommendation 54)

Agency: Office of Personnel Management
Status: Open
Priority recommendation

Comments: OPM concurred with this recommendation. As of January 2020, the office stated that it planned to formalize its process for an organization-wide cybersecurity assessment. Once OPM has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Administrator of SBA should establish a process for conducting an organization-wide cybersecurity risk assessment. (Recommendation 57)

Agency: Small Business Administration
Status: Open
Priority recommendation

Comments: SBA concurred with this recommendation. As of January 2020, SBA stated that it intends to finalize its process for an agency-wide cybersecurity risk assessment by March 31, 2020. Once SBA has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Commissioner of the Social Security Administration should fully establish and document a process for coordination between cybersecurity risk management and enterprise risk management functions. (Recommendation 58)

Agency: Social Security Administration
Status: Open
Priority recommendation

Comments: SSA concurred with this recommendation. As of January 2020, SSA stated that it has initiated a formal process for coordination between its cybersecurity risk management and enterprise risk management teams and that this process should be fully established by the third quarter of FY 2020. Once SSA has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: To complete the appropriate assignment of codes to their positions performing IT, cybersecurity, or cyber-related functions, in accordance with the requirements of the Federal Cybersecurity Workforce Assessment Act of 2015, the Secretary of Agriculture should take steps to review the assignment of the "000" code to any positions in the department in the 2210 IT management occupational series and assign the appropriate National Initiative for Cybersecurity Education (NICE) framework work role codes. (Recommendation 1)

Agency: Department of Agriculture
Status: Open
Priority recommendation

Comments: The Department of Agriculture concurred with our recommendation and stated that it was identifying an internal team of subject-matter experts to collaborate with organizations across the department to review the assignment of the "000" code to positions and assist in determining the appropriate work role codes. As of April 2020, USDA expected to complete this activity by fall 2020. To fully implement this recommendation, USDA will need to provide evidence that it has assigned appropriate NICE framework work role codes to its positions in the 2210 IT management occupational series.

Recommendation: To complete the appropriate assignment of codes to their positions performing IT, cybersecurity, or cyber-related functions, in accordance with the requirements of the Federal Cybersecurity Workforce Assessment Act of 2015, the Secretary of Commerce should take steps to review the assignment of the "000" code to any positions in the department in the 2210 IT management occupational series and assign the appropriate NICE framework work role codes. (Recommendation 2)

Agency: Department of Commerce
Status: Open
Priority recommendation

Comments: The Department of Commerce concurred with the recommendation, but as of January 2020, it had not yet provided sufficient evidence that it had implemented the recommendation. We will continue to monitor the situation.

Recommendation: To complete the appropriate assignment of codes to their positions performing IT, cybersecurity, or cyber-related functions, in accordance with the requirements of the Federal Cybersecurity Workforce Assessment Act of 2015, the Secretary of Defense should complete the identification and coding of vacant positions in the department performing IT, cybersecurity, or cyber-related functions. (Recommendation 3)

Agency: Department of Defense
Status: Open

Comments: The Department of Defense concurred with the recommendation but as of January 2020, it had not yet provided sufficient evidence that it had implemented the recommendation. We will continue to monitor the situation.

Recommendation: To complete the appropriate assignment of codes to their positions performing IT, cybersecurity, or cyber-related functions, in accordance with the requirements of the Federal Cybersecurity Workforce Assessment Act of 2015, the Secretary of Defense should take steps to review the assignment of the "000" code to any positions in the department in the 2210 IT management occupational series, assign the appropriate NICE framework work role codes, and assess the accuracy of position descriptions. (Recommendation 4)

Agency: Department of Defense
Status: Open
Priority recommendation

Comments: The Department of Defense concurred with the recommendation. As of January 2020, it had not yet provided sufficient evidence that it had implemented the recommendation. To fully implement this recommendation, DOD will need to provide evidence that it has assigned appropriate National Initiative for Cybersecurity Education framework work role codes to its positions in the 2210 Information Technology management occupational series and assessed the accuracy of position descriptions.

Recommendation: To complete the appropriate assignment of codes to their positions performing IT, cybersecurity, or cyber-related functions, in accordance with the requirements of the Federal Cybersecurity Workforce Assessment Act of 2015, the Secretary of Health and Human Services should take steps to review the assignment of the "000" code to any positions in the department in the 2210 IT management occupational series and assign the appropriate NICE framework work role codes. (Recommendation 8)

Agency: Department of Health and Human Services
Status: Open
Priority recommendation

Comments: The Department of Health and Human Services concurred with the recommendation and stated that it would complete a review of the assignment of the "000" code to its positions in the 2210 IT management occupational series and assign the appropriate NICE framework work role codes. As of March 2020, HHS has made significant progress toward reviewing the assignment of work role codes to its positions in the 2210 IT management occupational series and ensuring that such positions are not coded with the "000" code. To fully implement this recommendation, HHS will need to provide evidence that it has assigned the appropriate NICE framework work role codes to all or nearly all of its remaining positions in the 2210 IT management occupational series. We will continue to monitor the situation.

Recommendation: To complete the appropriate assignment of codes to their positions performing IT, cybersecurity, or cyber-related functions, in accordance with the requirements of the Federal Cybersecurity Workforce Assessment Act of 2015, the Secretary of Homeland Security should take steps to review the assignment of the "000" code to any positions in the department in the 2210 IT management occupational series, assign the appropriate NICE framework work role codes, and assess the accuracy of position descriptions. (Recommendation 9)

Agency: Department of Homeland Security
Status: Open
Priority recommendation

Comments: The Department of Homeland Security (DHS) concurred with our recommendation. DHS conducted an audit of its components' cybersecurity coding efforts in fiscal year 2018 and identified actions that components needed to take to complete the assignment of appropriate NICE framework work role codes and assess the accuracy of position descriptions; a second audit for fiscal year 2019 is underway, and the department expects to complete its coding efforts by December 2020. As of January 2020, DHS has not yet provided sufficient evidence to demonstrate that it has implemented this recommendation. To fully implement this recommendation, DHS will need to provide evidence that it has assigned appropriate NICE framework work role codes to its positions in the 2210 IT management occupational series and assessed the accuracy of position descriptions.

Recommendation: To complete the appropriate assignment of codes to their positions performing IT, cybersecurity, or cyber-related functions, in accordance with the requirements of the Federal Cybersecurity Workforce Assessment Act of 2015, the Secretary of Housing and Urban Development should take steps to review the assignment of the "000" code to any positions in the department in the 2210 IT management occupational series and assign the appropriate NICE framework work role codes. (Recommendation 10)

Agency: Department of Housing and Urban Development
Status: Open
Priority recommendation

Comments: The Department of Housing and Urban Development (HUD) agreed with this recommendation. In January 2020, HUD stated that it was in the process of reviewing its positions in the 2210 IT management occupational series and assigning appropriate work role codes. To fully implement this recommendation, HUD will need to correctly categorize the work roles and functions performed by IT and cyber-related personnel in order to be able to identify critical cybersecurity staffing needs.

Recommendation: To complete the appropriate assignment of codes to their positions performing IT, cybersecurity, or cyber-related functions, in accordance with the requirements of the Federal Cybersecurity Workforce Assessment Act of 2015, the Secretary of State should take steps to review the assignment of the "000" code to any positions in the department in the 2210 IT management occupational series, assign the appropriate NICE framework work role codes, and assess the accuracy of position descriptions. (Recommendation 15)

Agency: Department of State
Status: Open
Priority recommendation

Comments: The Department of State concurred with the recommendation. In January 2020, we confirmed that State had assigned National Initiative for Cybersecurity Education (NICE) framework work role codes to its positions in the 2210 IT management occupational series. However, the department has not yet provided sufficient evidence to demonstrate that it has completed its efforts to assess the accuracy of position descriptions. To fully implement this recommendation, State will need to provide evidence that it has assessed the accuracy of position descriptions.

Recommendation: To complete the appropriate assignment of codes to their positions performing IT, cybersecurity, or cyber-related functions, in accordance with the requirements of the Federal Cybersecurity Workforce Assessment Act of 2015, the Secretary of Treasury should take steps to review the assignment of the "000" code to any positions in the department in the 2210 IT management occupational series and assign the appropriate NICE framework work role codes. (Recommendation 17)

Agency: Department of the Treasury
Status: Open
Priority recommendation

Comments: Treasury partially concurred with the recommendation and stated that some positions may not align to work roles in the National Initiative for Cybersecurity Education's (NICE) cybersecurity workforce framework. Treasury stated that it planned to review and validate the work role codes of its IT, cybersecurity, or cyber-related positions by March 2019. However, as of February 2020 Treasury had not provided evidence that it has implemented our recommendation. Until it assigns work role codes that are consistent with the IT, cybersecurity, and cyber-related functions performed by these positions, Treasury will continue to have unreliable information about its cybersecurity workforce that the department will need to identify its workforce roles of critical need.

Recommendation: To complete the appropriate assignment of codes to their positions performing IT, cybersecurity, or cyber-related functions, in accordance with the requirements of the Federal Cybersecurity Workforce Assessment Act of 2015, the Administrator of the Environmental Protection Agency should complete the identification and coding of vacant positions in the agency performing IT, cybersecurity, or cyber-related functions. (Recommendation 19)

Agency: Environmental Protection Agency
Status: Open

Comments: The Environmental Protection Agency concurred with the recommendation but as of January 2020, it had not yet provided sufficient evidence that it had implemented the recommendation. We will continue to monitor the situation.

Recommendation: To complete the appropriate assignment of codes to their positions performing IT, cybersecurity, or cyber-related functions, in accordance with the requirements of the Federal Cybersecurity Workforce Assessment Act of 2015, the Administrator of the Environmental Protection Agency should take steps to review the assignment of the "000" code to any positions in the agency in the 2210 IT management occupational series, assign the appropriate NICE framework work role codes, and assess the accuracy of position descriptions. (Recommendation 20)

Agency: Environmental Protection Agency
Status: Open
Priority recommendation

Comments: The Environmental Protection Agency concurred with the recommendation and stated that it would complete a review of the assignment of the "000" code to its positions in the 2210 IT management occupational series, assign the appropriate NICE framework work role codes, and assess the accuracy of position descriptions. As of January 2020, EPA has not yet provided sufficient evidence to demonstrate that it has implemented this recommendation. To fully implement this recommendation, EPA will need to provide evidence that it has assigned appropriate NICE framework work role codes to its positions in the 2210 IT management occupational series and assessed the accuracy of position descriptions.

Recommendation: To complete the appropriate assignment of codes to their positions performing IT, cybersecurity, or cyber-related functions, in accordance with the requirements of the Federal Cybersecurity Workforce Assessment Act of 2015, the Administrator of the National Aeronautics and Space Administration should complete the identification and coding of vacant positions at NASA performing IT, cybersecurity, or cyber-related functions. (Recommendation 23)

Agency: National Aeronautics and Space Administration
Status: Open

Comments: The National Aeronautics and Space Administration did not concur with the recommendation. As of January 2020, it had not yet provided sufficient evidence that it had implemented the recommendation. We will continue to monitor the situation.

Recommendation: To complete the appropriate assignment of codes to their positions performing IT, cybersecurity, or cyber-related functions, in accordance with the requirements of the Federal Cybersecurity Workforce Assessment Act of 2015, the Administrator of the National Aeronautics and Space Administration should take steps to review the assignment of the "000" code to any positions at NASA in the 2210 IT management occupational series, assign the appropriate NICE framework work role codes, and assess the accuracy of position descriptions. (Recommendation 24)

Agency: National Aeronautics and Space Administration
Status: Open
Priority recommendation

Comments: The National Aeronautics and Space Administration (NASA) concurred with our recommendation and stated that it would complete a review of the assignment of the "000" code to its positions in the 2210 IT management occupational series, assign the appropriate NICE framework work role codes, and assess the accuracy of position descriptions. In March 2020, NASA indicated that it expected to implement the recommendation by September 30, 2020. To fully implement this recommendation, NASA will need to provide evidence that it has assigned appropriate NICE framework work role codes to its positions in the 2210 IT management occupational series and assessed the accuracy of position descriptions.

Recommendation: The Secretaries of Defense and of Transportation should address ADS-B Out security concerns by approving one or more solutions that address ADS-B Out -related security risks or incorporating mitigations for security risks into the existing draft memorandum of agreement. These approved solutions should address operations, physical, cyber-attack, and electronic warfare security risks; and risks associated with divesting secondary-surveillance radars. The solution or mitigations should be approved as soon as possible in order to allow sufficient time for implementation.

Agency: Department of Defense
Status: Open

Comments: DOD partially concurred with this recommendation. As of August 2018, DOD and the FAA signed a memorandum of agreement that that establishes a framework for DOD and FAA to jointly address the provision to allow certain aircraft not to broadcast and airspace monitoring and defense security issues related to ADS-B, and identifies a path to fully address the recommendations in our report. The memorandum of agreement was a first step to address the security issues we highlighted in the report; however, FAA still needs to publish a National Procedural Guidance for accommodation of DOD needs for mixed-equipment operations and operational security concerns (expected December 2018).

Recommendation: The Secretaries of Defense and of Transportation should address ADS-B Out security concerns by approving one or more solutions that address ADS-B Out -related security risks or incorporating mitigations for security risks into the existing draft memorandum of agreement. These approved solutions should address operations, physical, cyber-attack, and electronic warfare security risks; and risks associated with divesting secondary-surveillance radars. The solution or mitigations should be approved as soon as possible in order to allow sufficient time for implementation.

Agency: Department of Transportation
Status: Open

Comments: DOT concurred with this recommendation. As of August 2018, DOD and the FAA signed a memorandum of agreement that that establishes a framework for DOD and FAA to jointly address the provision to allow certain aircraft not to broadcast and airspace monitoring and defense security issues related to ADS-B, and identifies a path to fully address the recommendations in our report.

Recommendation: The Secretary of Defense should direct DOD components to implement key tasks that would facilitate consistent, long-term planning and implementation of NextGen--such as those tasks that the Deputy Secretary of Defense originally directed in 2007, or any tasks that the Secretary deems appropriate based on a current assessment of the original tasks.

Agency: Department of Defense
Status: Open

Comments: DOD partially concurred with this recommendation. As of August 2018, DOD has not taken action regarding the eight tasks GAO identified in the 2007 Deputy Secretary of Defense memorandum on ADS-B implementation.

Recommendation: To more fully address the requirements identified in the National Cybersecurity Protection Act of 2014 and the Cybersecurity Act of 2015, the Secretary of the Department of Homeland Security should develop metrics for assessing adherence to applicable principles in carrying out statutorily required functions.

Agency: Department of Homeland Security
Status: Open
Priority recommendation

Comments: For all eleven functions, DHS has measures that evaluate compliance with five (1, 2, 5, 6, 7) of the nine principles and considered whether measures and applicability were appropriate for the other four principles. In February 2020, DHS stated that it does not measure any functions' adherence with principle #8 related to safeguarding against unauthorized access or #9 regarding compliance with policies, regulations, and laws related to privacy and civil liberties. Specifically, the agency stated these two principles are a steady state consideration across all mission areas and functions and have no associated identified measure. For the remaining two principles, DHS did not provide measures that were related to prioritizing activities based on level of risk (#3) or ensuring that appropriate consideration of coordination with subject matter experts from industry, academia, and national labs (#4). As such, DHS does not have appropriate means for assessing the eleven functions against those two principles. However, in March 2020, DHS stated that the metrics for 2020 were different than those in 2019. Officials are in the process of creating a mapping between the previously provided metrics and those for 2020. We will review this mapping and determine if the aforementioned is still applicable with the new metrics.

Recommendation: To more fully address the requirements identified in the National Cybersecurity Protection Act of 2014 and the Cybersecurity Act of 2015, the Secretary of the Department of Homeland Security should establish methods for monitoring the implementation of cybersecurity functions against the principles on an ongoing basis.

Agency: Department of Homeland Security
Status: Open
Priority recommendation

Comments: For all 11 functions, DHS stated they have a means of evaluating compliance with five (1, 2, 5, 6, 7) of the nine principles. Once DHS provides specific evidence of data tracked in support of the aforementioned compliance measures, we will review to determine if they have closed this recommendation.

Recommendation: To more fully address the requirements identified in the National Cybersecurity Protection Act of 2014 and the Cybersecurity Act of 2015, the Secretary of the Department of Homeland Security should integrate information related to security incidents to provide management with more complete information about NCCIC operations.

Agency: Department of Homeland Security
Status: Open

Comments: In November 2018, DHS invited GAO to observe a vendor's demonstration of the anticipated Unified Workflow Solution (UWS) that officials stated could support closure of this recommendation, when implemented. In February 2020, DHS stated that their planning and design efforts are ongoing and are on track for deployment of a Minimal Viable Product in April 2020. Once DHS has developed and implemented the UWS, we will review their efforts to determine the extent to which the agency has integrated information related to security incidents.

Recommendation: To more fully address the requirements identified in the National Cybersecurity Protection Act of 2014 and the Cybersecurity Act of 2015, the Secretary of the Department of Homeland Security should determine the necessity of reducing, consolidating, or modifying the points of entry used to communicate with NCCIC to better ensure that all incident tickets are logged appropriately.

Agency: Department of Homeland Security
Status: Open

Comments: In March 2019, DHS said that they will provide GAO with a list of the entry points into the NCCIC service desk as well as the standard operating procedures (SOP) and process for quality assurance and quality control. Additionally, the development of the NCCIC Unified Workflow Solution (UWS) could impact this recommendation as well. In February 2020, DHS stated that their planning and design efforts are ongoing and are on track for deployment of a Minimal Viable Product in April 2020. Once DHS has developed and implemented the UWS, we will review their efforts to determine the extent to which the agency has integrated information related to security incidents.

Recommendation: To more fully address the requirements identified in the National Cybersecurity Protection Act of 2014 and the Cybersecurity Act of 2015, the Secretary of the Department of Homeland Security should take steps to ensure the full representation of the owners and operators of the nation's most critical cyber-dependent infrastructure assets.

Agency: Department of Homeland Security
Status: Open

Comments: In November 2019, DHS stated that while no alerts or advisories are sent only to Section 9 entities, they do have various forms and mechanisms that Section 9 entities receive cybersecurity information: through HSIN Communities of Interest, the CISCP program, the applicable Sector Specific Agencies, and the applicable Section Information Sharing and Analysis Centers. Further analysis of the membership of the aforementioned forums and mechanisms is needed to determine the extent of Section 9 representation.

Recommendation: To more fully address the requirements identified in the National Cybersecurity Protection Act of 2014 and the Cybersecurity Act of 2015, the Secretary of the Department of Homeland Security should establish plans and time frames for consolidating or integrating the legacy networks used by NCCIC analysts to reduce the need for manual data entry.

Agency: Department of Homeland Security
Status: Open

Comments: In November 2019 DHS stated that the legacy Help Desk and operational activity tracking tools continue to be assessed and requirements identified for configuration into the Unified Workflow Solution (UWS). In February 2020, DHS stated that their planning and design efforts are ongoing and are on track for deployment of a Minimal Viable Product in April 2020. Once DHS has developed and implemented the UWS, we will review their efforts to determine the extent to which the agency has integrated information related to security incidents.