Reports & Testimonies

Federal systems are vulnerable to cyberattacks. Our High Risk report identified 10 critical actions for addressing federal cybersecurity challenges. In this report, the second in a series of four, we cover the 3 actions related to Securing Federal Systems and Information: Improve implementation of government-wide cybersecurity initiatives Address weaknesses in federal agency information security programs Enhance the federal response to cyber incidents to better protect...

Federal IT systems and our nation's critical infrastructure are at risk of attack from malicious actors, including those acting on behalf of other nations. Such attacks could result in serious harm to human safety, national security, the environment, and the economy. The federal government should: establish a comprehensive cybersecurity strategy mitigate global supply chain risks address the federal cybersecurity worker shortage ensure the security of...

Military personnel who complete advanced cyber training—which may take a year or more and costs DOD hundreds of thousands of dollars—may not remain in the military for a significant time after training. We found that 2 of the 4 military services are not positioned to ensure adequate return on their investment in advanced cyber training. While the Navy and Air Force require 3 years of...

The federal government annually spends more than $100 billion on IT and cyber investments—many of which have been ineffectively managed. Congress passed laws to address these issues, including provisions such as the Federal Information Technology Acquisition Reform Act (FITARA). We testified that, since 2015, Congress has issued scorecards to monitor agencies' implementation of FITARA and key IT topics. The scorecards have evolved and served as...

The nation's 16 critical infrastructure sectors rely on internet-connected devices and systems to deliver essential services, such as electricity and health care. These sectors face increasing cybersecurity threats—an issue on our High Risk list. Federal agencies that have leadership roles in 3 sectors we reviewed have taken some steps to manage the cybersecurity risks posed by internet-connected devices and systems. But they've not assessed risks...

Zero trust architecture (ZTA) is a cybersecurity approach that authenticates and authorizes every interaction between a network and a user or device—in contrast to traditional cybersecurity models that allow users or devices to move freely within the network once they are granted access. ZTA works on the "never trust, always verify" principle and assumes that attacks will come from within and outside of the network...

A network of over 1,600 offshore facilities produce a significant portion of U.S. domestic oil and gas. These facilities, which rely on technology to remotely monitor and control equipment, face a growing risk of cyberattacks. A cyberattack on these facilities could cause physical, environmental, and economic harm. And disruptions to oil and gas production and transmission could affect supplies and markets. The Department of the...

Ransomware is software that makes data and systems unusable unless ransom payments are made. State, local, tribal, and territorial government organizations—including schools—have been targeted by ransomware. This can affect vital government operations and services. Ransomware attacks on schools can cause learning loss as well as monetary loss. Several federal agencies provide direct assistance to these organizations in preventing and responding to ransomware attacks. We discuss...

With the ever-increasing threat of cyberattacks, the Secret Service is adopting a "zero trust" approach to cybersecurity. This "zero trust architecture" requires constant verification of everything that's trying to connect to an organization's IT systems. The Secret Service developed a plan to implement this with 4 milestones, such as assessing agency IT systems against federal guidance and implementing cloud services. But the agency created this...

Cyber attacks threaten national security—but hackers continue to target DOD as well as private companies and others involved in the nation's military operations. DOD has taken steps to combat these attacks and has reduced the number of cyber incidents in recent years. But we found that DOD: Hasn't fully implemented its processes for managing cyber incidents Doesn't have complete data on cyber incidents that staff...

U.S. schools rely on information technology for many operations. But cybersecurity incidents, like ransomware attacks, could significantly affect everything from educational instruction to school operations. Three federal agencies assist schools in protecting against cyber threats. But there are no formal channels for how agencies coordinate with each other or with K-12 schools to address cybersecurity risks or incidents. Also, the agencies don't measure or obtain...

Ransomware is a malicious software that encrypts files and leaves data and systems unusable. With ransomware attacks, hackers gain entry into a system, lock out users, and demand payment to regain access. Homeland Security, FBI, and Secret Service help state, local, and other governments prevent or respond to ransomware attacks on systems like emergency services. Most government entities said they're satisfied with the agencies' prevention...

The CyberCorps Scholarship for Service Program—managed by the National Science Foundation, Office of Personnel Management, and Department of Homeland Security—requires recipients to work in government jobs for a period of time after graduation. We found: NSF and OPM fully complied with 13 legal requirements for managing the program and partially complied with 6 NSF hasn't implemented a strategy to effectively manage risks and challenges, such...

The CyberCorps Scholarship for Service Program—managed by the National Science Foundation, Office of Personnel Management, and Department of Homeland Security—requires recipients to work in government jobs for a period of time after graduation. We found: NSF and OPM fully complied with 13 legal requirements for managing the program and partially complied with 6 NSF hasn't implemented a strategy to effectively manage risks and challenges, such...

The National Nuclear Security Administration (NNSA) is increasingly relying on advanced computers and integrating digital systems into weapons and manufacturing equipment. But, these systems could be hacked. Federal laws and policies suggest 6 key practices to set up a cybersecurity management program, such as assigning risk management responsibilities. However, NNSA and its contractors haven't fully implemented these practices. Additionally, NNSA and its contractors rely on...

Federal agencies that collect personally identifiable information—such as birthplaces and Social Security numbers—are required to establish programs to protect it. The 24 agencies we examined had designated a senior agency official for privacy, as required. However, these officials may have numerous other duties and may not bring a needed focus on privacy. They generally delegated many aspects of privacy programs to less-senior officials. We recommended...

To offset U.S. conventional warfighting advantages, opponents try to use the information environment, including information technology and social media. Actions can range from trying to plant malware in weapons to spreading disinformation on social media. This report describes DOD's use and protection of the information environment. We profile 6 areas—such as threats and emerging technologies—and offer questions for further oversight. For example, DOD components identified...

The federal government needs to develop and implement a comprehensive strategy to overcome the cyber threats facing our nation. Cybersecurity has been on our High Risk list since 1997. In 2021, Congress created the Office of the National Cyber Director to lead the nation's cybersecurity efforts. Our overview looks at the Office's strategic statement, which summarizes its vision and path to improve the nation's cybersecurity...

The federal government annually spends more than $100 billion on IT and cyber investments—many of which have been ineffectively managed. Congress passed laws to address these issues, including the Federal Information Technology Acquisition Reform Act (FITARA). Since 2015, Congress has issued scorecards to monitor agencies' implementation of FITARA and key IT topics. We testified that the scorecards have evolved and served as effective oversight tools...

We testified about our work on agency use of facial recognition technologies and related privacy issues. For example, 18 of 24 agencies reported using this technology in FY 2020, mostly for building and computer access and law enforcement. In another survey, 14 of 42 agencies with law enforcement officers told us they used the technology in criminal investigations. We found 13 of them didn't track...