Recommendations Database

Jump To:

As of February 4, 2023, there are 4823 open recommendations that still need to be addressed. 463 of these are priority recommendations, those that we believe warrant priority attention. Learn more about our priority designation on our Recommendations page.

Search for open recommendations by agency, topic, subject, or keyword/phrase below, or view all open recommendations by agency.

Skip to main search results
Clear All Filters
1 - 20 of 213 Recommendations, including 23 Priority Recommendations

Critical Infrastructure: Actions Needed to Better Secure Internet-Connected Devices

Show
9 Open Recommendations
Agency Recommendation Status
Department of Energy The Secretary of Energy, as SRMA for the energy sector, should direct the Director of the Office of Cybersecurity, Energy Security, and Emergency Response to use the National Plan to develop a sector-specific plan that includes metrics for measuring the effectiveness of their efforts to enhance the cybersecurity of their sector's IoT and OT environments. (Recommendation 1)
Open

When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Department of Energy The Secretary of Energy, as SRMA for the energy sector, should direct the Director of the Office of Cybersecurity, Energy Security, and Emergency Response to include IoT and OT devices as part of the risk assessments of their sector's cyber environment. (Recommendation 2)
Open

When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Department of Health and Human Services The Secretary of Health and Human Services, as SRMA for the healthcare and public health sector, should direct the Assistant Secretary for Preparedness and Response to use the National Plan to develop a sector-specific plan that includes metrics for measuring the effectiveness of their efforts to enhance the cybersecurity of their sector's IoT and OT environments. (Recommendation 3)
Open

When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Department of Health and Human Services The Secretary of Health and Human Services, as SRMA for the healthcare and public health sector, should direct the Assistant Secretary for Preparedness and Response to include IoT and OT devices as part of the risk assessments of their sector's cyber environment. (Recommendation 4)
Open

When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Department of Homeland Security The Secretary of Homeland Security should direct the Administrator of the Transportation Security Administration and the Commandant of the U.S. Coast Guard to jointly work with the Department of Transportation's Office of Intelligence, Security and Emergency Response, as co-SRMAs for the transportation systems sector, to use the National Plan to develop a sector-specific plan that includes metrics for measuring the effectiveness of their efforts to enhance the cybersecurity of their sector's IoT and OT environments. (Recommendation 5)
Open

When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Department of Homeland Security The Secretary of Homeland Security should direct the Administrator of the Transportation Security Administration and the Commandant of the U.S Coast Guard to jointly work with the Department of Transportation's Office of Intelligence, Security and Emergency Response, as co-SRMAs for the transportation systems sector, to include IoT and OT devices as part of the risk assessments of their sector's cyber environment. (Recommendation 6)
Open

When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Department of Transportation The Secretary of Transportation should direct the Director, Office of Intelligence, Security and Emergency Response to jointly work with the Administrator of DHS's Transportation Security Administration and the Commandant of the U.S. Coast Guard, as co-SRMAs for the transportation systems sector, to use the National Plan to develop a sector-specific plan that includes metrics for measuring the effectiveness of their efforts to enhance the cybersecurity of their sector's IoT and OT environments. (Recommendation 7)
Open

When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Department of Transportation The Secretary of Transportation should direct the Director, Office of Intelligence, Security and Emergency Response to jointly work with the Administrator of DHS's Transportation Security Administration and the Commandant of the U.S. Coast Guard, as co-SRMAs for the transportation systems sector, to include IoT and OT devices as part of the risk assessments of their sector's cyber environment. (Recommendation 8)
Open

When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Office of Management and Budget The Director of OMB should, as required by the Internet of Things Cybersecurity Improvement Act of 2020, expeditiously establish a standardized process for the Chief Information Officer of each covered agency to follow in determining whether the IoT cybersecurity waiver may be granted. (Recommendation 9)
Open

When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Cybersecurity: Secret Service Has Made Progress Toward Zero Trust Architecture, but Work Remains

Show
1 Open Recommendations
Agency Recommendation Status
United States Secret Service The Director of the Secret Service should instruct the agency's chief information officer to implement outstanding Office of Management and Budget requirements for transitioning to IPv6, particularly in regard to upgrading its public-facing systems. (Recommendation 1)
Open

As of January 2023, Secret Service has not provided sufficient evidence to close this recommendation. We will continue to follow-up with the agency.

DOD Cybersecurity: Enhanced Attention Needed to Ensure Cyber Incidents Are Appropriately Reported and Shared

Show
6 Open Recommendations
Agency Recommendation Status
Department of Defense The Secretary of Defense should ensure that the DOD CIO, Commander of CYBERCOM, and Commander of JFHQ-DODIN assign responsibility for overseeing cyber incident reporting and leadership notification, and ensuring policy compliance. (Recommendation 1)
Open

When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Department of Defense The Secretary of Defense should ensure that the DOD CIO, Commander of CYBERCOM, and Commander of JFHQ-DODIN align policy and system requirements to enable DOD to have enterprise-wide visibility of cyber incident reporting to support tactical, strategic, and military strategies for response. (Recommendation 2)
Open

When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Department of Defense The Secretary of Defense should ensure that the DOD CIO, Commander of CYBERCOM, and Commander of JFHQ-DODIN include in new guidance on incident reporting include detailed procedures for identifying, reporting, and notifying leadership of critical cyber incidents. (Recommendation 3)
Open

When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Department of Defense The Secretary of Defense should ensure that the Commander of CYBERCOM—in coordination with DOD CIO and Directors of DC3 and DCSA—examines whether information on DIB-related cyber incidents handled by CSSPs is relevant to the missions of other DOD components, including DC3 and DCSA, and identifies when and with whom such information should be shared. (Recommendation 4)
Open

When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Department of Defense The Secretary of Defense should ensure that the DOD CIO determines what actions need to be taken to encourage more complete and timely mandatory cyber incident reporting from DIB companies. (Recommendation 5)
Open

When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Department of Defense The Secretary of Defense should ensure—through the Director of the Privacy, Civil Liberties, and Freedom of Information Directorate—that DOD components document instances where individuals affected by a privacy data breach were notified. (Recommendation 6)
Open

When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Critical Infrastructure Protection: Additional Federal Coordination Is Needed to Enhance K-12 Cybersecurity

Show
4 Open Recommendations
Agency Recommendation Status
Department of Education The Secretary of Education, in consultation with the Cybersecurity and Infrastructure Security Agency and other stakeholders involved in updating the Education Facilities Sector-Specific Plan, should establish a collaborative mechanism, such as an applicable government coordinating council, to coordinate cybersecurity efforts between agencies and with the K-12 community. (Recommendation 1)
Open

When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Department of Education The Secretary of Education should develop metrics for obtaining feedback to measure the effectiveness of Education's K-12 cybersecurity-related products and services that are available for school districts. (Recommendation 2)
Open

When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Department of Education The Secretary of Education, in coordination with federal and nonfederal stakeholders, should determine how best to help school districts overcome the identified challenges and consider the identified opportunities for addressing cyber threats, as appropriate. (Recommendation 3)
Open

When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Department of Homeland Security The Secretary of the Department of Homeland Security should ensure that the Director of the Cybersecurity and Infrastructure Security Agency develops metrics for measuring the effectiveness of its K-12 cybersecurity-related products and services that are available for school districts and determine the extent that CISA meets the needs of state and local-level school districts to combat cybersecurity threats. (Recommendation 4)
Open

When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Note: the list of open recommendations for the last report may continue on the next page.

Have a Question about a Recommendation?

For questions about a specific recommendation, contact the person or office listed with the recommendation. For general information about recommendations, contact GAO's Audit Policy and Quality Assurance office at (202) 512-6100 or apqa@gao.gov.