Reports & Testimonies

GAO’s reports and testimonies give Congress, federal agencies, and the public timely, fact-based, non-partisan information that can improve government operations and save taxpayers billions of dollars.

Jump To:

Most Recent Reports

1 - 20 of 612 Reports

Released on

Cybersecurity High-Risk Series: Challenges in Securing Federal Systems and Information

GAO-23-106428
Published: . Publicly Released: .
Federal systems are vulnerable to cyberattacks. Our High Risk report identified 10 critical actions for addressing federal cybersecurity challenges. In this report, the second in a series of four, we cover the 3 actions related to Securing Federal Systems and Information: Improve implementation of government-wide cybersecurity initiatives Address weaknesses in federal agency information security programs Enhance the federal response to cyber incidents to better protect...

Released on

Cybersecurity High-Risk Series: Challenges in Establishing a Comprehensive Cybersecurity Strategy and Performing Effective Oversight

GAO-23-106415
Published: . Publicly Released: .
Federal IT systems and our nation's critical infrastructure are at risk of attack from malicious actors, including those acting on behalf of other nations. Such attacks could result in serious harm to human safety, national security, the environment, and the economy. The federal government should: establish a comprehensive cybersecurity strategy mitigate global supply chain risks address the federal cybersecurity worker shortage ensure the security of...

Released on

Military Cyber Personnel: Opportunities Exist to Improve Service Obligation Guidance and Data Tracking

GAO-23-105423
Published: . Publicly Released: .
Military personnel who complete advanced cyber training—which may take a year or more and costs DOD hundreds of thousands of dollars—may not remain in the military for a significant time after training. We found that 2 of the 4 military services are not positioned to ensure adequate return on their investment in advanced cyber training. While the Navy and Air Force require 3 years of...

Released on

Information Technology and Cybersecurity: Evolving the Scorecard Remains Important for Monitoring Agencies' Progress

GAO-23-106414
Published: . Publicly Released: .
The federal government annually spends more than $100 billion on IT and cyber investments—many of which have been ineffectively managed. Congress passed laws to address these issues, including provisions such as the Federal Information Technology Acquisition Reform Act (FITARA). We testified that, since 2015, Congress has issued scorecards to monitor agencies' implementation of FITARA and key IT topics. The scorecards have evolved and served as...

Released on

Critical Infrastructure: Actions Needed to Better Secure Internet-Connected Devices

GAO-23-105327
Published: . Publicly Released: .
The nation's 16 critical infrastructure sectors rely on internet-connected devices and systems to deliver essential services, such as electricity and health care. These sectors face increasing cybersecurity threats—an issue on our High Risk list. Federal agencies that have leadership roles in 3 sectors we reviewed have taken some steps to manage the cybersecurity risks posed by internet-connected devices and systems. But they've not assessed risks...

Released on

Science & Tech Spotlight: Zero Trust Architecture

GAO-23-106065
Published: . Publicly Released: .
Zero trust architecture (ZTA) is a cybersecurity approach that authenticates and authorizes every interaction between a network and a user or device—in contrast to traditional cybersecurity models that allow users or devices to move freely within the network once they are granted access. ZTA works on the "never trust, always verify" principle and assumes that attacks will come from within and outside of the network...

Released on

Offshore Oil and Gas: Strategy Urgently Needed to Address Cybersecurity Risks to Infrastructure

GAO-23-105789
Published: . Publicly Released: .
A network of over 1,600 offshore facilities produce a significant portion of U.S. domestic oil and gas. These facilities, which rely on technology to remotely monitor and control equipment, face a growing risk of cyberattacks. A cyberattack on these facilities could cause physical, environmental, and economic harm. And disruptions to oil and gas production and transmission could affect supplies and markets. The Department of the...

Released on

Ransomware: Federal Coordination and Assistance Challenges

GAO-23-106279
Published: . Publicly Released: .
Ransomware is software that makes data and systems unusable unless ransom payments are made. State, local, tribal, and territorial government organizations—including schools—have been targeted by ransomware. This can affect vital government operations and services. Ransomware attacks on schools can cause learning loss as well as monetary loss. Several federal agencies provide direct assistance to these organizations in preventing and responding to ransomware attacks. We discuss...

Released on

Cybersecurity: Secret Service Has Made Progress Toward Zero Trust Architecture, but Work Remains

GAO-23-105466
Published: . Publicly Released: .
With the ever-increasing threat of cyberattacks, the Secret Service is adopting a "zero trust" approach to cybersecurity. This "zero trust architecture" requires constant verification of everything that's trying to connect to an organization's IT systems. The Secret Service developed a plan to implement this with 4 milestones, such as assessing agency IT systems against federal guidance and implementing cloud services. But the agency created this...

Released on

DOD Cybersecurity: Enhanced Attention Needed to Ensure Cyber Incidents Are Appropriately Reported and Shared

GAO-23-105084
Published: . Publicly Released: .
Cyber attacks threaten national security—but hackers continue to target DOD as well as private companies and others involved in the nation's military operations. DOD has taken steps to combat these attacks and has reduced the number of cyber incidents in recent years. But we found that DOD: Hasn't fully implemented its processes for managing cyber incidents Doesn't have complete data on cyber incidents that staff...

Released on

Critical Infrastructure Protection: Additional Federal Coordination Is Needed to Enhance K-12 Cybersecurity

GAO-23-105480
Published: . Publicly Released: .
U.S. schools rely on information technology for many operations. But cybersecurity incidents, like ransomware attacks, could significantly affect everything from educational instruction to school operations. Three federal agencies assist schools in protecting against cyber threats. But there are no formal channels for how agencies coordinate with each other or with K-12 schools to address cybersecurity risks or incidents. Also, the agencies don't measure or obtain...

Released on

Ransomware: Federal Agencies Provide Useful Assistance but Can Improve Collaboration

GAO-22-104767
Published: . Publicly Released: .
Ransomware is a malicious software that encrypts files and leaves data and systems unusable. With ransomware attacks, hackers gain entry into a system, lock out users, and demand payment to regain access. Homeland Security, FBI, and Secret Service help state, local, and other governments prevent or respond to ransomware attacks on systems like emergency services. Most government entities said they're satisfied with the agencies' prevention...

Released on

Cybersecurity Workforce: Actions Needed to Improve Cybercorps Scholarship for Service Program

GAO-22-106146
Published: . Publicly Released: .
The CyberCorps Scholarship for Service Program—managed by the National Science Foundation, Office of Personnel Management, and Department of Homeland Security—requires recipients to work in government jobs for a period of time after graduation. We found: NSF and OPM fully complied with 13 legal requirements for managing the program and partially complied with 6 NSF hasn't implemented a strategy to effectively manage risks and challenges, such...

Cybersecurity Workforce: Actions Needed to Improve Cybercorps Scholarship for Service Program

GAO-22-105187
Published: . Publicly Released: .
The CyberCorps Scholarship for Service Program—managed by the National Science Foundation, Office of Personnel Management, and Department of Homeland Security—requires recipients to work in government jobs for a period of time after graduation. We found: NSF and OPM fully complied with 13 legal requirements for managing the program and partially complied with 6 NSF hasn't implemented a strategy to effectively manage risks and challenges, such...

Released on

Nuclear Weapons Cybersecurity: NNSA Should Fully Implement Foundational Cybersecurity Risk Management Practices

GAO-22-104195
Published: . Publicly Released: .
The National Nuclear Security Administration (NNSA) is increasingly relying on advanced computers and integrating digital systems into weapons and manufacturing equipment. But, these systems could be hacked. Federal laws and policies suggest 6 key practices to set up a cybersecurity management program, such as assigning risk management responsibilities. However, NNSA and its contractors haven't fully implemented these practices. Additionally, NNSA and its contractors rely on...

Privacy: Dedicated Leadership Can Improve Programs and Address Challenges

GAO-22-105065
Published: . Publicly Released: .
Federal agencies that collect personally identifiable information—such as birthplaces and Social Security numbers—are required to establish programs to protect it. The 24 agencies we examined had designated a senior agency official for privacy, as required. However, these officials may have numerous other duties and may not bring a needed focus on privacy. They generally delegated many aspects of privacy programs to less-senior officials. We recommended...

Released on

Information Environment: Opportunities and Threats to DOD's National Security Mission

GAO-22-104714
Published: . Publicly Released: .
To offset U.S. conventional warfighting advantages, opponents try to use the information environment, including information technology and social media. Actions can range from trying to plant malware in weapons to spreading disinformation on social media. This report describes DOD's use and protection of the information environment. We profile 6 areas—such as threats and emerging technologies—and offer questions for further oversight. For example, DOD components identified...

Released on

Cybersecurity: Kick-Starting the Office of the National Cyber Director

GAO-22-105502
Published: . Publicly Released: .
The federal government needs to develop and implement a comprehensive strategy to overcome the cyber threats facing our nation. Cybersecurity has been on our High Risk list since 1997. In 2021, Congress created the Office of the National Cyber Director to lead the nation's cybersecurity efforts. Our overview looks at the Office's strategic statement, which summarizes its vision and path to improve the nation's cybersecurity...

Released on

Information Technology and Cybersecurity: Using Scorecards to Monitor Agencies' Implementation of Statutory Requirements

GAO-22-106105
Published: . Publicly Released: .
The federal government annually spends more than $100 billion on IT and cyber investments—many of which have been ineffectively managed. Congress passed laws to address these issues, including the Federal Information Technology Acquisition Reform Act (FITARA). Since 2015, Congress has issued scorecards to monitor agencies' implementation of FITARA and key IT topics. We testified that the scorecards have evolved and served as effective oversight tools...

Released on

Facial Recognition Technology: Federal Agencies' Use and Related Privacy Protections

GAO-22-106100
Published: . Publicly Released: .
We testified about our work on agency use of facial recognition technologies and related privacy issues. For example, 18 of 24 agencies reported using this technology in FY 2020, mostly for building and computer access and law enforcement. In another survey, 14 of 42 agencies with law enforcement officers told us they used the technology in criminal investigations. We found 13 of them didn't track...