Recommendation: The Secretary of Energy, in coordination with DHS and other relevant stakeholders, should develop a plan aimed at implementing the federal cybersecurity strategy for the electric grid and ensure that the plan addresses the key characteristics of a national strategy, including a full assessment of cybersecurity risks to the grid. (Recommendation 1)

Agency: Department of Energy
Status: Open
Priority recommendation

Comments: DOE agreed with our recommendation. In its response to our report, DOE stated that it was working through an interagency process to develop a National Cyber Strategy Implementation Plan that will consider DOE's Multiyear Plan for Energy Sector Cybersecurity. To fully address our recommendation, DOE should coordinate with DHS and other relevant stakeholders to develop a plan for implementing the federal cybersecurity strategy for the electric grid and ensure that the plan addresses the key characteristics of a national strategy.

Recommendation: FERC should consider our assessment and determine whether to direct the North American Electric Reliability Corporation (NERC) to adopt any changes to its cybersecurity standards to ensure those standards more fully address the NIST Cybersecurity framework and address current and projected risks. (Recommendation 2)

Agency: Federal Energy Regulatory Commission
Status: Open

Comments: In August 2020, FERC officials told GAO that the Commission assembled a team to conduct a technical analysis to develop a plan with appropriate next steps to address GAO's recommendations. As part of this effort, FERC issued two documents. In June 2020, FERC issued a Notice of Inquiry seeking comments on (1) whether NERC's cybersecurity standards adequately address certain NIST Cybersecurity Framework categories, and (2) whether modifications to the cybersecurity standards would be appropriate to address the potential risk of a coordinated cyberattack on geographically distributed targets. Additionally, in June 2020, FERC issued a white paper exploring a new framework for providing incentives to transmission facilities for cybersecurity investments that exceed the requirements of NERC's cybersecurity standards. The incentives are designed, in part, to incentivize cybersecurity investments by facilities that are not covered by NERC's cybersecurity standards, according to FERC officials. As of October 2020, this recommendation remains open.

Recommendation: FERC should (1) evaluate the potential risk of a coordinated cyberattack on geographically distributed targets and, (2) based on the results of that evaluation, determine whether to direct NERC to make any changes to the threshold for mandatory compliance with requirements in the full set of cybersecurity standards. (Recommendation 3)

Agency: Federal Energy Regulatory Commission
Status: Open

Comments: In August 2020, FERC officials told GAO that the Commission assembled a team to conduct a technical analysis to develop a plan with appropriate next steps to address GAO's recommendations. As part of this effort, FERC issued two documents. In June 2020, FERC issued a Notice of Inquiry seeking comments on (1) whether NERC's cybersecurity standards adequately address certain NIST Cybersecurity Framework categories, and (2) whether modifications to the cybersecurity standards would be appropriate to address the potential risk of a coordinated cyberattack on geographically distributed targets. Additionally, in June 2020, FERC issued a white paper exploring a new framework for providing incentives to transmission facilities for cybersecurity investments that exceed the requirements of NERC's cybersecurity standards. The incentives are designed, in part, to incentivize cybersecurity investments by facilities that are not covered by NERC's cybersecurity standards, according to FERC officials. As of October 2020, this recommendation remains open.

Recommendation: The Secretary of Defense should direct the Director, Office of Cost Assessment and Program Evaluation to conduct an independent schedule assessment of the full program schedule for the Global Positioning System's next generation operational control system based on progress made through the end of calendar year 2019. (Recommendation 1)

Agency: Department of Defense
Status: Open

Comments: DOD did not concur with our recommendation to conduct an independent assessment of the full OCX program schedule based on progress made through the end of calendar year 2019, citing an independent cost and schedule estimate conducted in September 2018 and other ongoing program assessment and monitoring efforts. GAO continues to affirm that the recommendation is necessary given that DOD has not conducted an assessment of the full schedule since June 2018, since which time program risks have evolved. Additionally, ongoing oversight efforts are limited in scope and do not include the developmental test period after product delivery. As of August 2020, the Air Force position remains a non-concur, based on the same rationale previously noted.

Recommendation: The Secretary of Defense should ensure the department's guidance that addresses software development provides specific, required direction on when and how often to involve users so that such involvement is early and continues through the development of the software and related program components. (Recommendation 1)

Agency: Department of Defense
Status: Open

Comments: DOD concurred with this recommendation and issued an interim Software Acquisition Pathway policy in January 2020 that addresses software development, including direction on user involvement. As of August 2020, this interim policy has not yet been finalized. According to DOD officials, a final policy is currently under development and is expected to be issued by the end of December 2020.

Recommendation: The Secretary of Defense should ensure the department's guidance that addresses software development provides specific, required direction on documenting and communicating user feedback to stakeholders during software system development. (Recommendation 2)

Agency: Department of Defense
Status: Open

Comments: DOD concurred with this recommendation. As of August 2020, DOD has issued an interim Software Acquisition Pathway that addresses software development, including direction on user involvement. According to DOD officials, this interim pathway is planned to be replaced by a final policy that is currently under development and is expected to be issued by the end of December 2020.

Recommendation: To ensure that the increasing risks of GPS disruptions to the nation's critical infrastructure are effectively managed, the Secretary of Homeland Security should increase the reliability and usefulness of the GPS risk assessment by developing a plan and time frame to collect relevant threat, vulnerability, and consequence data for the various critical infrastructure sectors, and periodically review the readiness of data to conduct a more data-driven risk assessment while ensuring that DHS's assessment approach is more consistent with the National Infrastructure Protection Plan (NIPP).

Agency: Department of Homeland Security
Status: Open

Comments: DHS officials had previously indicated that DHS's Office of Infrastructure Protection (IP) and Office of Cyber and Infrastructure Analysis (OCIA) have discussed an update of the GPS risk assessment. Additionally, information from DHS shows that DHS has continued other efforts to collect potentially relevant threat, vulnerability, and consequence data for various GPS equipment in use. For example, according to DHS officials, DHS has conducted visits to major maritime, finance, wireless communications, and electricity firms to gauge their understanding of GPS vulnerabilities and of technology- and strategy-based efforts to improve GPS resilience, and DHS documentation shows that DHS has held events to test GPS receivers as part of assessing vulnerabilities. In August 2020, DHS officials provided GAO with additional information regarding their progress on implementing the recommendation. We will update the status of this recommendation after we review the additional information from DHS.