Reports & Testimonies

Veterans Affairs is in the process of replacing its IT system used to maintain veterans' health records—and has deployed its new system to a few locations. We testified that the new system has presented issues for some users. For example, many users said that they weren't adequately trained to use the new system. Users also said that the new system had decreased morale and job...

Cryptography uses math to secure or "encrypt" data—helping governments, businesses, and others protect sensitive information. While current encryption methods are nearly impossible for normal computers to break, quantum computers could quickly and easily break certain encryptions and put data at risk. This spotlight looks at how to better secure data before quantum computers capable of breaking those encryption methods are ready in possibly 10-20 years...

Federal systems are vulnerable to cyberattacks. Our High Risk report identified 10 critical actions for addressing federal cybersecurity challenges. In this report, the last in a series of four, we cover the 2 actions related to Protecting Privacy and Sensitive Data: Improve federal efforts to protect privacy and sensitive data, such as reducing the cybersecurity risks in retirement plans Improve the protection of federally collected...

Federal systems are vulnerable to cyberattacks. Our High Risk report identified 10 critical actions for addressing federal cybersecurity challenges. In this report, the third in a series of four, we cover the action related to protecting cyber critical infrastructure—specifically, strengthening the federal role in cybersecurity for critical infrastructure. For example, the Department of Energy needs to address cybersecurity risks to the U.S. power grid. We've...

Federal systems are vulnerable to cyberattacks. Our High Risk report identified 10 critical actions for addressing federal cybersecurity challenges. In this report, the second in a series of four, we cover the 3 actions related to Securing Federal Systems and Information: Improve implementation of government-wide cybersecurity initiatives Address weaknesses in federal agency information security programs Enhance the federal response to cyber incidents to better protect...

Federal IT systems and our nation's critical infrastructure are at risk of attack from malicious actors, including those acting on behalf of other nations. Such attacks could result in serious harm to human safety, national security, the environment, and the economy. The federal government should: establish a comprehensive cybersecurity strategy mitigate global supply chain risks address the federal cybersecurity worker shortage ensure the security of...

Military personnel who complete advanced cyber training—which may take a year or more and costs DOD hundreds of thousands of dollars—may not remain in the military for a significant time after training. We found that 2 of the 4 military services are not positioned to ensure adequate return on their investment in advanced cyber training. While the Navy and Air Force require 3 years of...

The federal government annually spends more than $100 billion on IT and cyber investments—many of which have been ineffectively managed. Congress passed laws to address these issues, including provisions such as the Federal Information Technology Acquisition Reform Act (FITARA). We testified that, since 2015, Congress has issued scorecards to monitor agencies' implementation of FITARA and key IT topics. The scorecards have evolved and served as...

The nation's 16 critical infrastructure sectors rely on internet-connected devices and systems to deliver essential services, such as electricity and health care. These sectors face increasing cybersecurity threats—an issue on our High Risk list. Federal agencies that have leadership roles in 3 sectors we reviewed have taken some steps to manage the cybersecurity risks posed by internet-connected devices and systems. But they've not assessed risks...

Zero trust architecture (ZTA) is a cybersecurity approach that authenticates and authorizes every interaction between a network and a user or device—in contrast to traditional cybersecurity models that allow users or devices to move freely within the network once they are granted access. ZTA works on the "never trust, always verify" principle and assumes that attacks will come from within and outside of the network...

A network of over 1,600 offshore facilities produce a significant portion of U.S. domestic oil and gas. These facilities, which rely on technology to remotely monitor and control equipment, face a growing risk of cyberattacks. A cyberattack on these facilities could cause physical, environmental, and economic harm. And disruptions to oil and gas production and transmission could affect supplies and markets. The Department of the...

Ransomware is software that makes data and systems unusable unless ransom payments are made. State, local, tribal, and territorial government organizations—including schools—have been targeted by ransomware. This can affect vital government operations and services. Ransomware attacks on schools can cause learning loss as well as monetary loss. Several federal agencies provide direct assistance to these organizations in preventing and responding to ransomware attacks. We discuss...

With the ever-increasing threat of cyberattacks, the Secret Service is adopting a "zero trust" approach to cybersecurity. This "zero trust architecture" requires constant verification of everything that's trying to connect to an organization's IT systems. The Secret Service developed a plan to implement this with 4 milestones, such as assessing agency IT systems against federal guidance and implementing cloud services. But the agency created this...

Cyber attacks threaten national security—but hackers continue to target DOD as well as private companies and others involved in the nation's military operations. DOD has taken steps to combat these attacks and has reduced the number of cyber incidents in recent years. But we found that DOD: Hasn't fully implemented its processes for managing cyber incidents Doesn't have complete data on cyber incidents that staff...

U.S. schools rely on information technology for many operations. But cybersecurity incidents, like ransomware attacks, could significantly affect everything from educational instruction to school operations. Three federal agencies assist schools in protecting against cyber threats. But there are no formal channels for how agencies coordinate with each other or with K-12 schools to address cybersecurity risks or incidents. Also, the agencies don't measure or obtain...

Ransomware is a malicious software that encrypts files and leaves data and systems unusable. With ransomware attacks, hackers gain entry into a system, lock out users, and demand payment to regain access. Homeland Security, FBI, and Secret Service help state, local, and other governments prevent or respond to ransomware attacks on systems like emergency services. Most government entities said they're satisfied with the agencies' prevention...

The CyberCorps Scholarship for Service Program—managed by the National Science Foundation, Office of Personnel Management, and Department of Homeland Security—requires recipients to work in government jobs for a period of time after graduation. We found: NSF and OPM fully complied with 13 legal requirements for managing the program and partially complied with 6 NSF hasn't implemented a strategy to effectively manage risks and challenges, such...

The CyberCorps Scholarship for Service Program—managed by the National Science Foundation, Office of Personnel Management, and Department of Homeland Security—requires recipients to work in government jobs for a period of time after graduation. We found: NSF and OPM fully complied with 13 legal requirements for managing the program and partially complied with 6 NSF hasn't implemented a strategy to effectively manage risks and challenges, such...

Federal agencies that collect personally identifiable information—such as birthplaces and Social Security numbers—are required to establish programs to protect it. The 24 agencies we examined had designated a senior agency official for privacy, as required. However, these officials may have numerous other duties and may not bring a needed focus on privacy. They generally delegated many aspects of privacy programs to less-senior officials. We recommended...

The National Nuclear Security Administration (NNSA) is increasingly relying on advanced computers and integrating digital systems into weapons and manufacturing equipment. But, these systems could be hacked. Federal laws and policies suggest 6 key practices to set up a cybersecurity management program, such as assigning risk management responsibilities. However, NNSA and its contractors haven't fully implemented these practices. Additionally, NNSA and its contractors rely on...