https://www.gao.gov Mon, 26 Oct 2020 16:49:54 -0400 GAO /images/gao_logo_rss.gif https://www.gao.gov/ Feed provided by GAO. Click to visit. https://www.gao.gov/products/GAO-21-86 What GAO Found Modern airplanes are equipped with networks and systems that share data with the pilots, passengers, maintenance crews, other aircraft, and air-traffic controllers in ways that were not previously feasible (see fig. 1). As a result, if avionics systems are not properly protected, they could be at risk of a variety of potential cyberattacks. Vulnerabilities could occur due to (1) not applying modifications (patches) to commercial software, (2) insecure supply chains, (3) malicious software uploads, (4) outdated systems on legacy airplanes, and (5) flight data spoofing. To date, extensive cybersecurity controls have been implemented and there have not been any reports of successful cyberattacks on an airplane's avionics systems. However, the increasing connections between airplanes and other systems, combined with the evolving cyber threat landscape, could lead to increasing risks for future flight safety. Figure 1: Key Systems Connections to Commercial Airplanes The Federal Aviation Administration (FAA) has established a process for the certification and oversight of all US commercial airplanes, including the operation of commercial air carriers (see fig. 2). While FAA recognizes avionics cybersecurity as a potential safety issue for modern commercial airplanes, it has not fully implemented key practices that are necessary to carry out a risk-based cybersecurity oversight program. Specifically, FAA has not (1) assessed its oversight program to determine the priority of avionics cybersecurity risks, (2) developed an avionics cybersecurity training program, (3) issued guidance for independent cybersecurity testing, or (4) included periodic testing as part of its monitoring process. Until FAA strengthens its oversight program, based on assessed risks, it may not be able to ensure it is providing sufficient oversight to guard against evolving cybersecurity risks facing avionics systems in commercial airplanes. Figure 2: Federal Aviation Administration's Certification Process for Commercial Transport Airplanes GAO has previously identified key practices for interagency collaboration that can be used to assess interagency coordination. FAA coordinates with other federal agencies, such as the Departments of Defense (DOD) and Homeland Security (DHS), and with industry to address aviation cybersecurity issues. For example, FAA co-chairs the Aviation Cyber Initiative, a tri-agency forum with DOD and DHS to address cyber risks across the aviation ecosystem. However, FAA's internal coordination activities do not fully reflect GAO's key collaboration practices. FAA has not established a tracking mechanism for monitoring progress on cybersecurity issues that are raised in coordination meetings, and its oversight coordination activities are not supported by dedicated resources within the agency's budget. Until FAA establishes a tracking mechanism for cybersecurity issues, it may be unable to ensure that all issues are appropriately addressed and resolved. Further, until it conducts an avionics cybersecurity risk assessment, it will not be able to effectively prioritize and dedicate resources to ensure that avionics cybersecurity risks are addressed in its oversight program. Why GAO Did This Study Avionics systems, which provide weather information, positioning data, and communications, are critical to the safe operation of an airplane. FAA is responsible for overseeing the safety of commercial aviation, including avionics systems. The growing connectivity between airplanes and these systems may present increasing opportunities for cyberattacks on commercial airplanes. GAO was asked to review the FAA's oversight of avionics cybersecurity issues. The objectives of this review were to (1) describe key cybersecurity risks to avionics systems and their potential effects, (2) determine the extent to which FAA oversees the implementation of cybersecurity controls that address identified risks in avionics systems, and (3) assess the extent to which FAA coordinates internally and with other government and industry entities to identify and address cybersecurity risks to avionics systems. To do so, GAO reviewed information on key cybersecurity risks to avionics systems, as reported by major industry representatives as well as key elements of an effective oversight program, and compared FAA's process for overseeing the implementation of cybersecurity controls in avionics systems with these program elements. GAO also reviewed agency documentation and interviewed agency and industry representatives to assess FAA's coordination efforts to address the identified risks. What GAO Recommends GAO is making six recommendations to FAA to strengthen its avionics cybersecurity oversight program: GAO recommends that FAA conduct a cybersecurity risk assessment of avionics systems cybersecurity within its oversight program to identify the relative priority of avionics cybersecurity risks compared to other safety concerns and develop a plan to address those risks. Based on the assessment of avionics cybersecurity risks, GAO recommends that FAA identify staffing and training needs for agency inspectors specific to avionics cybersecurity, and develop and implement appropriate training to address identified needs. develop and implement guidance for avionics cybersecurity testing of new airplane designs that includes independent testing. review and consider revising its policies and procedures for monitoring the effectiveness of avionics cybersecurity controls in the deployed fleet to include developing procedures for safely conducting independent testing. ensure that avionics cybersecurity issues are appropriately tracked and resolved when coordinating among internal stakeholders. review and consider the extent to which oversight resources should be committed to avionics cybersecurity. FAA concurred with five out of six GAO recommendations. FAA did not concur with the recommendation to consider revising its policies and procedures for periodic independent testing. GAO clarified this recommendation to emphasize that FAA safely conduct such testing as part of its ongoing monitoring of airplane safety. For more information, contact Nick Marinos at (202) 512-9342 or MarinosN@gao.gov, or Heather Krause at (202) 512-2834 or KrauseH@gao.gov. Fri, 09 Oct 2020 00:00:00 -0400 https://www.gao.gov/products/GAO-20-607R What GAO Found The Department of State (State) coordinates with other federal agencies to advance U.S. interests in cyberspace, but it has not involved these agencies in the development of its plan to establish a new cyber diplomacy bureau. In 2019, State informed Congress of its plan to establish a new Bureau of Cyberspace Security and Emerging Technologies (CSET) to align cyberspace policy resources with an international security focus and improve coordination with other agencies working on these issues. However, officials from six agencies that work with State on cyber diplomacy efforts told GAO that State did not inform or involve them in the development of its plan to establish CSET. GAO's prior work on government reorganization has shown that it is important for agencies to involve other agency stakeholders in developing proposed reforms to obtain their views. Without involving and communicating with agency partners on its reorganization plan, State lacks assurance that it will effectively achieve its goals for establishing CSET, and it increases the risk of negative effects from unnecessary fragmentation, overlap, and duplication of cyber diplomacy efforts. Why GAO Did This Study The United States and its allies are facing expanding foreign cyber threats as international trade, communication, and critical infrastructure become increasingly dependent on cyberspace. State leads U.S. cyber diplomacy efforts and coordinates with other agencies to improve the cybersecurity of the nation. Members of Congress have proposed, through the Cyber Diplomacy Act of 2019 (H.R. 739), to establish a new office within State that would consolidate responsibility for digital economy and internet freedom issues, together with international cybersecurity issues. State subsequently notified Congress of its plan to establish CSET, with a narrower focus on cyberspace security and emerging technologies. The United States and its allies are facing expanding foreign cyber threats as international trade, communication, and critical infrastructure become increasingly dependent on cyberspace. State leads U.S. cyber diplomacy efforts and coordinates with other agencies to improve the cybersecurity of the nation. Members of Congress have proposed, through the Cyber Diplomacy Act of 2019 (H.R. 739), to establish a new office within State that would consolidate responsibility for digital economy and internet freedom issues, together with international cybersecurity issues. State subsequently notified Congress of its plan to establish CSET, with a narrower focus on cyberspace security and emerging technologies. GAO was asked to review elements of State's planning process for establishing a new cyber diplomacy bureau. This report examines the extent to which State involved the Departments of Commerce, Defense, Energy, Homeland Security, Justice, and the Treasury in the development of its plan for establishing CSET. GAO reviewed available documentation from State on its planning process for establishing the new bureau and interviewed officials from State and six other agencies. To determine the extent to which State involved other agencies in its planning effort, GAO assessed State's efforts against relevant key practices for agency reforms compiled in GAO's June 2018 report on government reorganization. As part of our ongoing work on this topic, we are also continuing to monitor and review State's overall planning process for establishing this new bureau. What GAO Recommends GAO recommends that State involve federal agencies that contribute to cyber diplomacy to obtain their views and identify any risks, such as unnecessary fragmentation, overlap, and duplication of these efforts, as it implements its plan to establish CSET. State did not concur, citing that other agencies are not stakeholders in an internal State reform, and that it was unware that these agencies had consulted with State before reorganizing their own cyberspace security organizations. GAO stands by the recommendation and maintains that State's agency partners are key stakeholders, as they work closely with State on a range of cyber diplomacy efforts. Further, as the leader of U.S. government international efforts to advance U.S. interests in cyberspace, it is important for State to incorporate leading practices to ensure the successful implementation of its reorganization effort. For more information, contact Brian M. Mazanec at 202-512-5130 or MazanecB@gao.gov, or Nick Marinos at 202-512-9342 or MarinosN@gao.gov. Tue, 22 Sep 2020 00:00:00 -0400 https://www.gao.gov/products/GAO-20-629 What GAO Found Federal entities have a variety of roles and responsibilities for supporting efforts to enhance the cybersecurity of the nation. Among other things, 23 federal entities have roles and responsibilities for developing policies, monitoring critical infrastructure protection efforts, sharing information to enhance cybersecurity across the nation, responding to cyber incidents, investigating cyberattacks, and conducting cybersecurity-related research. To fulfill their roles and responsibilities, federal entities identified activities undertaken in support of the nation's cybersecurity. For example, National Security Council (NSC) staff, on behalf of the President, and the National Institute of Standards and Technology, have developed policies, strategies, standards, and plans to guide cybersecurity efforts. The Department of Homeland Security has helped secure the nation's critical infrastructure through developing security policy and coordinating security initiatives, among other efforts. Other agencies have established initiatives to gather intelligence and share actual or possible cyberattack information. Multiple agencies have mechanisms in place to assist in responding to cyberattacks, and law enforcement components, including the Federal Bureau of Investigation, are responsible for investigating them. The White House's September 2018 National Cyber Strategy and the NSC's accompanying June 2019 Implementation Plan detail the executive branch's approach to managing the nation's cybersecurity. When evaluated together, these documents addressed several of the desirable characteristics of national strategies, but lacked certain key elements for addressing others. National Cyber Strategy and Implementation Plan are Missing Desirable Characteristics of a National Strategy Characteristic Cyber Strategy and Plan Coverage of Issue Purpose, scope, and methodology Addressed Organizational roles, responsibilities, and coordination Addressed Integration and implementation Addressed Problem definition and risk assessment Did not fully address Goals, subordinate objectives, activities, and performance measures Did not fully address Resources, investments, and risk management Did not fully address Source: GAO analysis of 2018 National Cyber Strategy and 2019 Implementation Plan . | GAO-20-629 For example, the Implementation Plan details 191 activities that federal entities are to undertake to execute the priority actions outlined in the National Cyber Strategy. These activities are assigned a level, or tier, based on the coordination efforts required to execute the activity and the extent to which NSC staff is expected to be involved. Thirty-five of these activities are designated as the highest level (tier 1), and are coordinated by a functional entity within the NSC . Ten entities are assigned to lead or co-lead these critical activities while also tasked to lead or co-lead lower tier activities. Leadership Roles for Federal Entities Assigned as Leads or Co-Leads for National Cyber Strategy Implementation Plan Activities Entity Tier 1 Activities Tier 2 Activities Tier 3 Activities National Security Council 15 7 3 Department of Homeland Security 14 19 15 Office of Management and Budget 7 6 5 Department of Commerce 5 9 35 Department of State 2 5 11 Department of Defense 1 6 17 Department of Justice 1 10 5 Department of Transportation 1 0 5 Executive Office of the President 1 0 0 General Services Administration 1 2 1 Source: GAO analysis of 2018 National Cyber Strategy and 2019 Implementation Plan . | GAO-20-629 Although the Implementation Plan defined the entities responsible for leading each of the activities; it did not include goals and timelines for 46 of the activities or identify the resources needed to execute 160 activities. Additionally, discussion of risk in the National Cyber Strategy and Implementation Plan was not based on an analysis of threats and vulnerabilities. Further, the documents did not specify a process for monitoring agency progress in executing Implementation Plan activities. Instead, NSC staff stated that they performed periodic check-ins with responsible entities, but did not provide an explanation or definition of specific level of NSC staff involvement for each of the three tier designations. Without a consistent approach to engaging with responsible entities and a comprehensive understanding of what is needed to implement all 191 activities, the NSC will face challenges in ensuring that the National Cyber Strategy is efficiently executed. GAO and others have reported on the urgency and necessity of clearly defining a central leadership role in order to coordinate the government's efforts to overcome the nation's cyber-related threats and challenges. The White House identified the NSC staff as responsible for coordinating the implementation of the National Cyber Strategy . However, in light of the elimination of the White House Cybersecurity Coordinator position in May 2018, it remains unclear which official ultimately maintains responsibility for not only coordinating execution of the Implementation Plan , but also holding federal agencies accountable once activities are implemented. NSC staff stated responsibility for duties previously attributed to the White House Cyber Coordinator were passed to the senior director of NSC's Cyber directorate; however, the staff did not provide a description of what those responsibilities include. NSC staff also stated that federal entities are ultimately responsible for determining the status of the activities that they lead or support and for communicating implementation status to relevant NSC staff. However, without a clear central leader to coordinate activities, as well as a process for monitoring performance of the Implementation Plan activities, the White House cannot ensure that entities are effectively executing their assigned activities intended to support the nation's cybersecurity strategy and ultimately overcome this urgent challenge. Why GAO Did This Study Increasingly sophisticated cyber threats have underscored the need to manage and bolster the cybersecurity of key government systems and the nation's cybersecurity. The risks to these systems are increasing as security threats evolve and become more sophisticated. GAO first designated information security as a government-wide high-risk area in 1997. This was expanded to include protecting cyber critical infrastructure in 2003 and protecting the privacy of personally identifiable information in 2015. In 2018, GAO noted that the need to establish a national cybersecurity strategy with effective oversight was a major challenge facing the federal government. GAO was requested to review efforts to protect the nation's cyber critical infrastructure. The objectives of this report were to (1) describe roles and responsibilities of federal entities tasked with supporting national cybersecurity, and (2) determine the extent to which the executive branch has developed a national strategy and a plan to manage its implementation. To do so, GAO identified 23 federal entities responsible for enhancing the nation's cybersecurity. Specifically, GAO selected 13 federal agencies based on their specialized or support functions regarding critical infrastructure security and resilience, and 10 additional entities based on analysis of its prior reviews of national cybersecurity, relevant executive policy, and national strategy documents. GAO also analyzed the National Cyber Strategy and Implementation Plan to determine if they aligned with the desirable characteristics of a national strategy. What GAO Recommends GAO is making one matter for congressional consideration, that Congress should consider legislation to designate a leadership position in the White House with the commensurate authority to implement and encourage action in support of the nation's cybersecurity. GAO is also making one recommendation to the National Security Council to work with relevant federal entities to update cybersecurity strategy documents to include goals, performance measures, and resource information, among other things. The National Security Council neither agreed nor disagreed with GAO's recommendation. For more information, contact Nick Marinos at (202) 512-9342 or marinosn@gao.gov. Tue, 22 Sep 2020 00:00:00 -0400 https://www.gao.gov/products/GAO-20-431 What GAO Found The Department of Housing and Urban Development (HUD) is not effectively protecting sensitive information exchanged with external entities. Of four leading practices for such oversight, HUD did not address one practice and only minimally addressed the other three in its security and privacy policies and procedures (see table). For example, HUD minimally addressed the first leading practice because its policy required federal agencies and contractors with which it exchanges information to implement risk-based security controls; however, the department did not, among other things, establish a process or mechanism to ensure all external entities complied with security and privacy requirements when processing, storing, or sharing information outside of HUD systems. HUD's weaknesses in the four practices were due largely to a lack of priority given to updating its policies. Until HUD implements the leading practices, it is unlikely that the department will be able to mitigate risks to its programs and program participants. Extent to Which the Department of Housing and Urban Development (HUD) Policies and Procedures Address Leading Practices for Overseeing the Protection of Sensitive Information Practice Rating Require risk-based security and privacy controls ◔ Independently assess implementation of controls ◌ Identify and track corrective actions needed ◔ Monitor progress implementing controls ◔ Legend: ◔=Minimally addressed—leading practice was addressed to a limited extent; ◌=Not addressed—leading practice was not addressed. Source: GAO analysis of HUD data. | GAO-20-431 HUD was not fully able to identify external entities that process, store, or share sensitive information with its systems used to support housing, community investment, or mortgage loan programs. HUD's data were incomplete and did not provide reliable information about external entities with access to sensitive information from these systems. For example, GAO identified additional external entities in system documentation beyond what HUD reported for 23 of 32 systems. HUD was further limited in its ability to protect sensitive information because it did not track the types of personally identifiable information or other sensitive information shared with external entities that required protection. This occurred, in part, because the department did not have a comprehensive inventory of systems, to include information on external entities. Its policies and procedures also focused primarily on security and privacy for internal systems and lacked specificity about how to ensure that all types of external entities protected information collected, processed, or shared with the department. Until HUD develops sufficient, reliable information about external entities with which program information is shared and the extent to which each entity has access to personally identifiable information and other sensitive information, the department will be limited in its ability to safeguard information about its housing, community investment, and mortgage loan programs. Why GAO Did This Study To administer housing, community investment, and mortgage loan programs, HUD collects a vast amount of sensitive personal information and shares it with external entities, including federal agencies, contractors, and state, local, and tribal organizations. In 2016, HUD reported two incidents that compromised sensitive information. House Report 115-237, referenced by the Consolidated Appropriations Act, 2018, included a provision for GAO to evaluate HUD's information security framework for protecting information within these programs. The objectives were to (1) assess the effectiveness of HUD's policies and procedures for overseeing the security and privacy of sensitive information exchanged with external entities; and (2) determine the extent to which HUD was able to identify external entities that process, store, and share sensitive information with applicable systems. GAO compared HUD's policies and practices for systems' security and privacy to four leading practices identified in federal legislation and guidance. GAO also assessed HUD's practices for identifying external entities with access to sensitive information. What GAO Recommends GAO is making five recommendations to HUD to fully implement the four leading practices and fully identify the extent to which sensitive information is shared with external entities. HUD did not agree or disagree with the recommendations, but described actions intended to address them. For more information, contact Carol C. Harris at (202) 512-4456 or harriscc@gao.gov. Mon, 21 Sep 2020 00:00:00 -0400 https://www.gao.gov/products/GAO-20-631 What GAO Found The federal government has long identified the financial services sector as a critical component of the nation's infrastructure. The sector includes commercial banks, securities brokers and dealers, and providers of the key financial systems and services that support these functions. Altogether, the sector holds about $108 trillion in assets and faces a variety of cybersecurity-related risks. Key risks include (1) an increase in access to financial data through information technology service providers and supply chain partners; (2) a growth in sophistication of malware—software meant to do harm—and (3) an increase in interconnectivity via networks, the cloud, and mobile applications. Cyberattacks that exploit risks can occur against either public or private components of the sector. For example, in February 2016, hackers were able to install malware on the Bangladesh Central Bank's system through a service provider, which then directed the Federal Reserve Bank of New York to transfer money to accounts in other Asian countries. This attack resulted in the theft of approximately $81 million. Several industry groups and firms are taking steps to enhance the security and resilience of the U.S. financial services sector through a broad range of cyber risk mitigation efforts. These efforts include coordinating within the sector through groups such as the Financial Services Sector Coordinating Council and the Financial Systemic Analysis and Resilience Center, conducting industrywide incident response exercises, sharing threat and vulnerability information, developing and providing guidance in conducting risk assessments, and offering cybersecurity-related training. The Departments of Homeland Security and the Treasury and federal financial regulators are also taking multiple steps to support cybersecurity and resilience through risk mitigation efforts. Among other things, federal agencies provide cybersecurity expertise and conduct simulation exercises related to cyber incident response and recovery. Treasury, as the designated lead agency for the financial sector, plays a key role in supporting many of the efforts to enhance the sector's cybersecurity and resiliency. For example, Treasury's Assistant Secretary for Financial Institutions serves as the chair of the committee of government agencies with sector responsibilities, and Treasury coordinates federal agency efforts to improve the sector's cybersecurity and related communications. However, Treasury does not track efforts or prioritize them according to goals established by the sector for enhancing cybersecurity and resiliency. Treasury also has not fully implemented GAO's previous recommendation to establish metrics related to the value and results of the sector's risk mitigation efforts. Further, the 2016 sector-specific plan, which is intended to direct sector activities, does not identify ways to measure sector progress and is out of date. Among other things, the sector-specific plan lacks information on sector-related requirements laid out in the 2019 National Cyber Strategy Implementation Plan . Unless more widespread and detailed tracking and prioritization of efforts occurs according to the goals laid out in the sector-specific plan, the sector could be insufficiently prepared to deal with cyber-related risks, such as those caused by increased access to data by third parties. Why GAO Did This Study For decades, the federal government has taken steps to protect the nation's critical infrastructures. The financial services sector's reliance on information technology makes it a leading target for cyber-based attacks. Recent high-profile breaches at commercial entities have heightened concerns that data are not being adequately protected. Under the Comptroller General's authority, GAO initiated this review to (1) describe the key cyber-related risks facing the financial sector; (2) describe steps the financial services industry is taking to share information on and address risks to its sector; and (3) assess steps federal agencies are taking to enhance the security and resilience of the sector. GAO analyzed relevant reports and information to determine risks and mitigation efforts and compared agency efforts against federal policies and guidance. GAO also interviewed officials at 16 private sector entities, two self-regulatory organizations, and eight federal agencies, including the Department of the Treasury. What GAO Recommends GAO is making recommendations to Treasury to track and prioritize the sector's cyber risk mitigation efforts, and to update the sector's plan with metrics for measuring progress and information on how sector efforts will meet sector goals and requirements, including those contained within the National Cyber Strategy Implementation Plan. Treasury generally agreed with the recommendations. For more information, contact Nick Marinos at (202) 512-9342 or marinosn@gao.gov or Michael Clements at (202) 512-7763 or ClementsM@gao.gov. Thu, 17 Sep 2020 00:00:00 -0400 https://www.gao.gov/products/GAO-20-719T What GAO Found The Department of Veterans Affairs (VA) has faced challenges in its efforts to accomplish three critical information technology (IT) modernization initiatives: the department's health information system, known as the Veterans Health Information Systems and Technology Architecture (VistA); a system for the Family Caregiver Program, which is to support family caregivers of seriously injured post-9/11 veterans; and the Veterans Benefits Management System (VBMS) that collects and stores information and is used for processing disability benefit claims. Specifically, GAO has reported on the challenges in the department's three previous unsuccessful attempts to modernize VistA over the past 20 years. However, VA has recently deployed a new scheduling system as part of its fourth effort to modernize VistA and the next deployment of the system, including additional capabilities, is planned in October 2020. VA had taken steps to address GAO's recommendations from its 2014 report to implement a replacement system for the Family Caregiver Program. However, in September 2019, GAO reported that VA had yet to implement a new IT system that fully supports the Family Caregiver Program and that it had not yet fully committed to a date by which it will certify that the new IT system fully supports the program. In September 2015, GAO reported that VA had made progress in developing and implementing VBMS, but also noted that additional actions could improve efforts to develop and use the system. For example, VBMS was not able to fully support disability and pension claims, as well as appeals processing. GAO made five recommendations aimed at improving VA's efforts to effectively complete the development and implementation of VBMS; however, as of September 2020, VA implemented only one recommendation. VA's progress in implementing key provisions of the Federal Information Technology Acquisition Reform Act (commonly referred to as FITARA) has been uneven. Specifically, VA has made progress toward improving its licensing of software and achieving its goals for closing unneeded data centers. However, the department has made limited progress toward addressing requirements related to IT investment risk management and Chief Information Officer authority enhancement. Until the department implements the act's provisions, Congress' ability to effectively monitor VA's progress and hold it fully accountable for reducing duplication and achieving cost savings will be hindered. In addition, since fiscal year 2016, GAO has reported that VA faces challenges related to effectively implementing the federal approach to, and strategy for, securing information systems; effectively implementing information security controls and mitigating known security deficiencies; and establishing elements of its cybersecurity risk management program. GAO's work stressed the need for VA to address these challenges as well as manage IT supply chain risks. As VA continues to pursue modernization efforts, it is critical that the department take steps to adequately secure its systems. Why GAO Did This Study The use of IT is crucial to helping VA effectively serve the nation's veterans. The department annually spends billions of dollars on its information systems and assets—VA's budget for IT now exceeds $4 billion annually. However, over many years, VA has experienced challenges in managing its IT projects and programs, which could jeopardize its ability to effectively support key programs such as the Forever GI Bill. GAO has previously reported on these IT management challenges at VA. GAO was asked to testify on its prior IT work at VA. Specifically, this testimony summarizes results and recommendations from GAO's issued reports that examined VA's efforts in (1) modernizing VistA, a system for the Family Caregiver Program, and VBMS; (2) implementing FITARA; and (3) addressing cybersecurity issues. In developing this testimony, GAO reviewed its recently issued reports that addressed IT management issues at VA and GAO's biannual high-risk series. GAO also incorporated information on the department's actions in response to recommendations. What GAO Recommends GAO has made numerous recommendations in recent years aimed at improving VA's IT system modernization efforts, implementation of key FITARA provisions, and cybersecurity program. VA has generally agreed with the recommendations and has begun to address them. For more information, contact Carol C. Harris at (202) 512-4456 or harriscc@gao.gov. Wed, 16 Sep 2020 00:00:00 -0400 https://www.gao.gov/products/GAO-20-644 What GAO Found A cybersecurity incident is an event that actually or potentially jeopardizes a system or the information it holds. According to GAO's analysis of K-12 Cybersecurity Resource Center (CRC) data from July 2016 to May 2020, thousands of K-12 students were affected by 99 reported data breaches, one type of cybersecurity incident in which data are compromised. Students' academic records, including assessment scores and special education records, were the most commonly compromised type of information (58 breaches). Records containing students' personally identifiable information (PII), such as Social Security numbers, were the second most commonly compromised type of information (36 breaches). Financial and cybersecurity experts say some PII can be sold on the black market and can cause students significant financial harm. Breaches were either accidental or intentional, although sometimes the intent was unknown, with school staff, students, and cybercriminals among those responsible (see figure). Staff were responsible for most of the accidental breaches (21 of 25), and students were responsible for most of the intentional breaches (27 of 52), most frequently to change grades. Reports of breaches by cybercriminals were rare but included attempts to steal PII. Although the number of students affected by a breach was not always available, examples show that thousands of students have had their data compromised in a single breach. Responsible Actor and Intent of Reported K-12 Student Data Breaches, July 1, 2016-May 5, 2020 Notes: The actor or the intent may not be discernible in public reports. For this analysis, a cybercriminal is defined as an actor external to the school district who breaches a data system for malicious reasons. Of the 287 school districts affected by reported student data breaches, larger, wealthier, and suburban school districts were disproportionately represented, according to GAO's analysis. Cybersecurity experts GAO spoke with said one explanation for this is that some of these districts may use more technology in schools, which could create more opportunities for breaches to occur. Why GAO Did This Study When a student's personal information is disclosed, it can lead to physical, emotional, and financial harm. Organizations are vulnerable to data security risks, including over 17,000 public school districts and approximately 98,000 public schools. As schools and districts increasingly rely on complex information technology systems for teaching, learning, and operating, they are collecting more student data electronically that can put a student's information, including PII, at risk of disclosure. The closure of schools and the sudden transition to distance learning across the country due to the Coronavirus Disease 2019 (COVID-19) pandemic also heightened attention on K-12 cybersecurity. GAO was asked to review the security of K-12 students' data. This report examines (1) what is known about recently reported K-12 cybersecurity incidents that compromised student data, and (2) the characteristics of school districts that experienced these incidents. GAO analyzed data from July 1, 2016 to May 5, 2020 from CRC (the most complete source of information on K-12 data breaches). CRC is a non-federal resource sponsored by an educational technology organization that has tracked reported K-12 cybersecurity incidents since 2016. GAO also analyzed 2016-2019 Department of Education data on school district characteristics (the most recent available), and interviewed experts knowledgeable about cybersecurity. We incorporated technical comments from the agencies as appropriate. For more information, contact Jacqueline M. Nowicki at (617) 788-0580 or nowickij@gao.gov. Tue, 15 Sep 2020 00:00:00 -0400 https://www.gao.gov/products/GAO-20-598 What GAO Found Selected agencies—the Federal Aviation Administration, Indian Health Services, and Small Business Administration—had generally deployed tools intended to provide cybersecurity data to support the Department of Homeland Security's (DHS) Continuous Diagnostics and Mitigation (CDM) program. As depicted in the figure, the program relies on automated tools to identify hardware and software residing on agency networks. This information is aggregated and compared to expected outcomes, such as whether actual device configuration settings meet federal benchmarks. The information is then displayed on an agency dashboard and federal dashboard. Continuous Diagnostics and Mitigation Program Data Flow from Agencies to the Federal Dashboard However, while agencies reported that the program improved their network awareness, none of the three agencies had effectively implemented all key CDM program requirements. For example, the three agencies had not fully implemented requirements for managing their hardware. This was due in part to contractors, who install and troubleshoot the tools, not always providing unique identifying information. Accordingly, CDM tools did not provide an accurate count of the hardware on their networks. In addition, although most agencies implemented requirements for managing software, they were not consistently comparing configuration settings on their networks to federal core benchmarks intended to maintain a standard level of security. The agencies identified various challenges to implementing the program, including overcoming resource limitations and not being able to resolve problems directly with contractors. DHS had taken numerous steps to help manage these challenges, including tracking risks of insufficient resources, providing forums for agencies to raise concerns, and allowing agencies to provide feedback to DHS on contractor performance. Why GAO Did This Study In 2013, DHS established the CDM program to strengthen the cybersecurity of government networks and systems by providing tools to agencies to continuously monitor their networks. The program, with estimated costs of about $10.9 billion, intends to provide capabilities for agencies to identify, prioritize, and mitigate cybersecurity vulnerabilities. GAO was asked to review agencies' continuous monitoring practices. This report (1) examines the extent to which selected agencies have effectively implemented key CDM program requirements and (2) describes challenges agencies identified in implementing the requirements and steps DHS has taken to address these challenges. GAO selected three agencies based on reported acquisition of CDM tools. GAO evaluated the agencies' implementation of CDM asset management capabilities, conducted semi-structured interviews with agency officials, and examined DHS actions. What GAO Recommends GAO is making six recommendations to DHS, including to ensure that contractors provide unique hardware identifiers; and nine recommendations to the three selected agencies, including to compare configurations to benchmarks. DHS and the selected agencies concurred with the recommendations. For more information, contact Vijay A. D'Souza at (202) 512-6240 or dsouzav@gao.gov. Tue, 18 Aug 2020 00:00:00 -0400 https://www.gao.gov/products/GAO-20-691T What GAO Found Federal agencies and the Office of Management and Budget (OMB) have taken steps to improve the management of information technology (IT) acquisitions and operations and ensure the nation's cybersecurity through a series of initiatives. As of July 2020, federal agencies had fully implemented 64 percent of the 1,376 IT management-related recommendations that GAO has made to them since fiscal year 2010. Likewise, agencies had implemented 79 percent of the 3,409 security-related recommendations that GAO has made since fiscal year 2010. However, significant actions remain to be completed to build on this progress. Chief Information Officer (CIO) responsibilities. Laws such as the Federal Information Technology Acquisition Reform Act (FITARA) and related guidance assign 35 key responsibilities to agency CIOs to help address longstanding IT management challenges. In August 2018, GAO reported that none of the 24 selected agencies had established policies that fully addressed the role of their CIO. GAO recommended that OMB and the 24 agencies take actions to improve the effectiveness of CIOs' implementation of their responsibilities. Although most agencies agreed or did not comment, only four of the 27 recommendations have been implemented. CIO IT acquisition review. According to FITARA, covered agencies' CIOs are required to review and approve IT contracts. Nevertheless, in January 2018, GAO reported that most of the CIOs at 22 covered agencies were not adequately involved in reviewing billions of dollars of IT acquisitions. Since then, agencies implemented 29 out of 39 recommendations made to improve CIO oversight for these acquisitions. Implementing the remaining 10 could increase CIOs' authority and improve the management of IT contracts. Consolidating data centers. OMB launched an initiative in 2010 to reduce data centers. According to the 24 covered agencies, this initiative has resulted in approximately $4.7 billion in cost savings from fiscal years 2012 through 2019. Even so, additional work remains. As of July 2020, OMB and agencies implemented 133 of the 204 recommendations made to improve the reporting of related cost savings and to achieve optimization targets. Implementing the remaining recommendations could yield additional cost savings. Managing software licenses. Effective management of software licenses can help avoid purchasing too many licenses that result in unused software. In May 2014, GAO reported that better management of licenses was needed to achieve savings and made 135 recommendations to improve such management. Agencies have implemented 123 of the 135 recommendations. Implementing the remaining 12 could reduce spending and duplication. Ensuring the nation's cybersecurity. GAO continues to designate information security as a government-wide high-risk area due to increasing cyber-based threats and the persistent nature of security vulnerabilities. Since fiscal year 2010, GAO has made 3,409 recommendations to agencies aimed at addressing cybersecurity challenges. As of July 2020, 79 percent of the recommendations have been implemented. Until the remaining recommendations are addressed, agencies' information and IT systems will be increasingly susceptible to the existing multitude of cyber-related threats. Why GAO Did This Study Each year, the federal government invests over $90 billion in IT. Even so, IT investments have too often failed or contributed little to mission-related outcomes. Increasingly sophisticated threats and frequent cyber incidents also underscore the need for effective information security. To focus attention on these concerns, GAO has included both the management of IT acquisitions and operations and cybersecurity on its high-risk list. For this statement, GAO summarized its key related reports and assessed agencies' progress in implementing the reports' recommendations. Specifically, GAO reviewed the implementation of recommendations on (1) CIO responsibilities, (2) IT acquisition review requirements, (3) data center consolidation, (4) the management of software licenses, and (5) cybersecurity. What GAO Recommends Since fiscal year 2010, GAO has made 1,376 recommendations to OMB and agencies to address shortcomings in IT acquisitions and operations, as well as 3,409 recommendations to agencies to improve the security of federal systems. These recommendations addressed, among other things, implementation of CIO responsibilities, oversight of the data center consolidation initiative, management of software licenses, and the efficacy of security programs. Implementing these recommendations is essential to strengthening federal agencies' IT acquisitions, operations, and cybersecurity efforts. For more information, contact Carol C. Harris at (202) 512-4456 or harriscc@gao.gov. Mon, 03 Aug 2020 00:00:00 -0400 https://www.gao.gov/products/GAO-20-123 What GAO Found Although the Centers for Medicare and Medicaid Services (CMS), Federal Bureau of Investigation (FBI), Internal Revenue Service (IRS), and Social Security Administration (SSA) each established requirements to secure data that states receive, these requirements often had conflicting parameters. Such parameters involve agencies defining specific values like the number of consecutive unsuccessful logon attempts prior to locking out the user. Among the four federal agencies, the percentage of total requirements with conflicting parameters ranged from 49 percent to 79 percent. Regarding variance with National Institute of Standards and Technology guidance, GAO found that the extent to which the four agencies did not fully address guidance varied from 9 percent to 53 percent of total requirements. The variances were due in part to the federal agencies' insufficient coordination in establishing requirements. Although the Office of Management and Budget's (OMB) Circular A-130 requires agencies to coordinate, OMB has not ensured that agencies have done so. Further, while federal agencies' variance among requirements may be justified in some cases because of particular agency mission needs, the resulting impact on states is significant, according to state chief information security officers (see figure). Extent of Impacts Identified by State Chief Information Security Officers as a Result of Variances in Selected Federal Agencies' Cybersecurity Requirements Note: Not all respondents answered all survey questions. The figure is based on 46 responses. The four federal agencies that GAO reviewed either fully or partially had policies for coordinating assessments with states, but none of them had policies for coordinating assessments with each other. State chief information security officers that GAO surveyed reinforced the need to coordinate assessments by identifying impacts on state agencies' costs, including multiple federal agencies that requested the same documentation. Coordinating with state and federal agencies when assessing state agencies' cybersecurity may help to minimize states' cost and time impacts and reduce associated federal costs. Federal agencies reported spending about $45 million for fiscal years 2016 through 2018 on assessments of state agencies' cybersecurity. Why GAO Did This Study To protect data that are shared with state government agencies, federal agencies have established cybersecurity requirements and related compliance assessment programs. Specifically, they have numerous cybersecurity requirements for states to follow when accessing, storing, and transmitting federal data. GAO was asked to evaluate federal agencies' cybersecurity requirements and related assessment programs for state agencies. The objectives were to determine the extent to which (1) selected federal agencies' cybersecurity requirements for state agencies varied with each other and federal guidance, and (2) federal agencies had policies for coordinating their assessments of state agencies' cybersecurity. GAO reviewed four federal agencies that shared data with states and had assessment programs: CMS, FBI, IRS, and SSA. GAO compared, among other things, each agency's cybersecurity requirements to federal guidance and to other selected agencies' requirements; and reviewed federal agencies' policies for conducting assessments. In addition, GAO examined OMB's efforts to foster coordination among federal agencies. GAO also surveyed and received responses from chief information security officers in 50 out of 55 U.S. states, territories, and the District of Columbia to obtain their perspectives. What GAO Recommends GAO is making 12 recommendations to the four selected agencies and to OMB. Three agencies agreed with the recommendations and one agency (IRS) partially agreed or disagreed with them. OMB did not provide comments. GAO continues to believe all recommendations are warranted. For more information, contact Vijay D’Souza at (202) 512-6240 or dsouzav@gao.gov. Wed, 27 May 2020 00:00:00 -0400 https://www.gao.gov/products/GAO-20-453 What GAO Found The Chemical Facility Anti-Terrorism Standards (CFATS) program within the Department of Homeland Security (DHS) evaluates high-risk chemical facilities’ cybersecurity efforts via inspections that include reviewing policies and procedures, interviewing relevant officials, and verifying facilities’ implementation of agreed-upon security measures. GAO found that the CFATS program has guidance designed to help the estimated 3,300 CFATS-covered facilities comply with cybersecurity and other standards, but the guidance has not been updated in more than 10 years, in contrast with internal control standards which recommend periodic review. CFATS officials stated that the program does not have a process to routinely review its cybersecurity guidance to ensure that it is up to date with current threats and technological advances. Without such a process, facilities could be more vulnerable to cyber-related threats. Potential Cyber-Related Threats to Chemical Facilities The CFATS program developed and provided cybersecurity training for its inspectors, but GAO found that the CFATS program does not fully address 3 of 4 key training practices, or address cybersecurity needs in its workforce planning process, as recommended by DHS guidance. Specifically: The CFATS program does not: (1) systematically collect or track data related to inspectors’ cybersecurity training or knowledge, skills, and abilities; (2) develop measures to assess how training is contributing to cybersecurity-related program results; or (3) have a process to evaluate the effectiveness of its cybersecurity training in improving inspector skillsets. The program also has yet to incorporate identified cybersecurity knowledge, skills, and abilities for inspectors in its current workforce planning processes or track data related to covered facilities’ reliance on information systems when assessing its workforce needs. Fully addressing key training practices will help ensure that CFATS inspectors have the knowledge, skills, and abilities for cybersecurity inspections, and identifying cybersecurity needs in workforce planning will help the program ensure that it has the appropriate number of staff to carry out the program’s cybersecurity-related efforts. Why GAO Did This Study Thousands of high-risk chemical facilities may be subject to the risk posed by cyber threat adversaries—terrorists, criminals, or nations. These adversaries could potentially manipulate facilities’ information and control systems to release or steal hazardous chemicals and inflict mass causalities to surrounding populations (see figure). In accordance with the DHS Appropriations Act, 2007, DHS established the CFATS program to, among other things, identify and assess the security risk posed to chemical facilities. GAO was asked to examine the cybersecurity efforts of the CFATS program, including the extent to which the program (1) assesses the cybersecurity efforts of covered facilities, and (2) determines the specialty training and level of staff needed to assess cybersecurity at covered facilities. GAO conducted site visits to observe the cybersecurity portion of CFATS inspections based on scheduled inspections, reviewed inspection documents, and interviewed CFATS inspectors. GAO also analyzed inspection guidance and training against key practices and assessed workforce planning documents and processes. What GAO Recommends GAO is making six recommendations to DHS to routinely review guidance and update, as needed; to fully incorporate key training practices; and to identify workforce cybersecurity needs. DHS concurred with the recommendations. For more information, contact Nathan Anderson at (206) 287-4804 or andersonn@gao.gov or Nick Marinos at (202) 512-9342 or marinosn@gao.gov. Thu, 14 May 2020 00:00:00 -0400 https://www.gao.gov/products/GAO-20-411R What GAO Found During its audit of the Internal Revenue Service’s (IRS) fiscal years 2019 and 2018 financial statements, GAO identified new deficiencies in information system security controls that along with unresolved control deficiencies from prior audits, collectively represent a significant deficiency in the agency’s internal control over financial reporting systems. Specifically, GAO identified 11 new deficiencies in information system security controls over certain IRS financial and tax processing systems that are relevant to internal control over financial reporting. Of the 11 new deficiencies, five were related to access controls, three were related to configuration management, one was related to segregation of duties, and two were related to information security management program controls. In a separately issued LIMITED OFFICIAL USE ONLY report, GAO communicated to IRS management detailed information regarding the 11 new deficiencies in information system security controls and made 18 recommendations to address them. In addition, GAO found that as of September 30, 2019, IRS had completed corrective actions to address deficiencies in information system security controls associated with 13 of the 127 recommendations resulting from GAO’s prior financial audits. GAO closed these recommendations. In the LIMITED OFFICIAL USE ONLY report, GAO communicated to IRS management the status of previously reported recommendations as of September 30, 2019. As a result, IRS has 132 GAO recommendations to address—the 114 remaining open recommendations from GAO’s prior financial audits and the 18 new recommendations GAO made in the LIMITED OFFICIAL USE ONLY report. Until these new and continuing control deficiencies, which collectively represent a significant deficiency, are fully addressed, IRS financial reporting and taxpayer data will remain unnecessarily vulnerable to unauthorized access, modification, or disclosure. Summary of GAO Recommendations to IRS for Addressing Deficiencies in Information System Security Controls Information system security control area Open recommendations from prior audits as of September 30, 2018 Prior recommendations closed as of September 30, 2019 New recommendations resulting from FY 2019 audit Total remaining open recommendations Access controls 93 8 7 92 Configuration management 26 3 7 30 Segregation of duties 1 — 1 2 Contingency planning 1 1 — — Information security management program 6 1 3 8 Total 127 13 18 132 Legend: FY = fiscal year; — = no recommendation made. Source: GAO analysis of Internal Revenue Service (IRS) data.  |  GAO-20-411R Why GAO Did This Study This report presents the new deficiencies in information system security controls identified during GAO’s audit of IRS’s fiscal years 2019 and 2018 financial statements based on its fiscal year 2019 testing of controls over certain IRS financial and tax processing systems relevant to internal control over financial reporting. The report also includes the results of GAO’s fiscal year 2019 follow-up on the status of IRS’s corrective actions to address deficiencies in information system security controls and associated recommendations contained in GAO’s prior years’ reports that were open as of September 30, 2018. What GAO Recommends In a separately issued LIMITED OFFICIAL USE ONLY report, GAO made 18 recommendations to address 11 new deficiencies in information system security controls related to access controls, configuration management, segregation of duties, and information security management program. In commenting on a draft of the separately issued LIMITED OFFICIAL USE ONLY report, IRS agreed with GAO’s recommendations and stated that it will ensure that its corrective actions include root cause analysis for sustainable fixes. GAO will evaluate the effectiveness of IRS’s efforts to address these deficiencies during its audit of IRS’s fiscal year 2020 financial statements. For more information, contact Cheryl E. Clark at (202) 512-9377 or clarkce@gao.gov or Vijay A. D’Souza at (202) 512-6240 or dsouzav@gao.gov. Wed, 13 May 2020 00:00:00 -0400 https://www.gao.gov/products/GAO-20-322 What GAO Found In working to implement three selected government-wide reforms that GAO reviewed, the Office of Management and Budget (OMB) and lead agencies followed some, but not all, of the key practices associated with effective reforms. Following key practices, such as those reflected in the questions below, would better position OMB and lead agencies to effectively implement such major change initiatives and achieve their intended objectives. Moving background investigations from the Office of Personnel Management (OPM) to the Department of Defense (DOD) : As required, the transfer of background investigations took place by September 30, 2019. OMB, OPM, and DOD generally addressed most key reform practices in this transfer, including involving employees and stakeholders, establishing an implementation team, and developing implementation plans. With the transfer complete, DOD officials told GAO they are shifting focus toward addressing GAO's high-risk area on the government-wide personnel security clearance process. Solving the cybersecurity workforce shortage : OMB and the Department of Homeland Security (DHS) partially addressed most leading practices through their efforts to implement several projects, such as reskilling employees to fill vacant cybersecurity positions, and streamlining hiring processes. However, GAO found that OMB and DHS have not established a dedicated implementation team, or a government-wide implementation plan, among other practices. Without these practices in place, OMB and DHS may not be able to monitor implementation activities and determine whether progress is being made toward solving the cybersecurity workforce shortage. Establishing the Government Effectiveness Advanced Research (GEAR) Center : According to OMB, the GEAR Center will bring together researchers from private and public sectors to inform and develop ways to improve government services and operations. OMB is working toward establishing the GEAR Center by collecting input from the public, academia, and industry for how the Center could be structured and ideas for possible research projects. However, OMB has not yet developed an implementation plan with key milestones and deliverables to track its progress. Developing and communicating an implementation plan will help OMB track the GEAR Center's progress and communicate its results. Why GAO Did This Study In June 2018, the administration released its government-wide reform plan, which included 32 proposals aimed at achieving management improvements and organizational efficiencies, among other things. OMB has a central role in overseeing these reform proposals, with support from various lead agencies. In July 2018, GAO reported on key questions to consider when developing and implementing reforms. GAO was asked to examine reform implementation. This report discusses three selected reforms that the administration prioritized: (1) moving background investigations from OPM to DOD, (2) solving the cybersecurity workforce shortage, and (3) establishing the GEAR Center. For each selected reform, GAO determined the extent to which OMB and the lead agencies addressed key practices for effectively implementing reforms, among other issues. GAO reviewed relevant documentation and interviewed OMB staff and agency officials. GAO assessed OMB's and lead agencies' efforts against relevant key practices for effective reforms. What GAO Recommends GAO is making 7 recommendations to OMB to follow certain key practices to help solve the cybersecurity workforce shortage and to establish the GEAR Center. OMB did not comment on the report. For more information, contact Triana McNeil at (202) 512-6806 or Mcneilt@gao.gov. Thu, 23 Apr 2020 00:00:00 -0400 https://www.gao.gov/products/GAO-20-241 What GAO Found The Department of Defense (DOD) has not fully implemented three of its key initiatives and practices aimed at improving cyber hygiene. Carnegie-Mellon University defines cyber hygiene as a set of practices for managing the most common and pervasive cybersecurity risks. In discussions with GAO, DOD officials identified three department-wide cyber hygiene initiatives: the 2015 DOD Cybersecurity Culture and Compliance Initiative, the 2015 DOD Cyber Discipline Implementation Plan, and DOD's Cyber Awareness Challenge training. The Culture and Compliance Initiative set forth 11 overall tasks expected to be completed in fiscal year 2016. It includes cyber education and training, integration of cyber into operational exercises, and needed recommendations on changes to cyber capabilities and authorities. However, seven of these tasks have not been fully implemented. The Cyber Discipline plan has 17 tasks focused on removing preventable vulnerabilities from DOD's networks that could otherwise enable adversaries to compromise information and systems. Of these 17, the DOD Chief Information Officer is responsible for overseeing implementation of 10 tasks. While the Deputy Secretary set a goal of achieving 90 percent implementation of the 10 CIO tasks by the end of fiscal year 2018, four of the tasks have not been implemented. Further, the completion of the other seven tasks was unknown because no DOD entity has been designated to report on the progress. The Cyber Awareness training is intended to help the DOD workforce maintain awareness of known and emerging cyber threats, and reinforce best practices to keep information and systems secure. However, selected components in the department do not know the extent to which users of its systems have completed this required training. GAO's review of 16 selected components identified six without information on system users that had not completed the required training, and eight without information on users whose network access had been revoked for not completing training. Beyond the initiatives above, DOD has (1) developed lists of the techniques that adversaries use most frequently and pose significant risk to the department, and (2) identified practices to protect DOD networks and systems against these techniques. However, the department does not know the extent to which these practices have been implemented. The absence of this knowledge is due in part to no DOD component monitoring implementation, according to DOD officials. Overall, until DOD completes its cyber hygiene initiatives and ensures that cyber practices are implemented, the department will face an enhanced risk of successful attack. While two recurring reports have provided updates to senior DOD leaders on cyber information on the Cyber Discipline plan implementation, department leadership has not regularly received information on the other two initiatives and on the extent to which cyber hygiene practices are being implemented. Such information would better position leaders to be aware of the cyber risks facing DOD and make more effective decisions to manage such risks. Why GAO Did This Study DOD has become increasingly reliant on information technology (IT) and risks have increased as cybersecurity threats evolve. Cybersecurity experts estimate that 90 percent of cyberattacks could be defeated by implementing basic cyber hygiene and sharing best practices, according to DOD's Principal Cyber Advisor. Senate Report 115-262 includes a provision that GAO review DOD cyber hygiene. This report evaluates the extent to which 1) DOD has implemented key cyber hygiene initiatives and practices to protect DOD networks from key cyberattack techniques and 2) senior DOD leaders received information on the department's efforts to address these initiatives and cyber hygiene practices. GAO reviewed documentation of DOD actions taken to implement three cyber hygiene initiatives and reviewed recurring reports provided to senior DOD leaders. What GAO Recommends GAO is making seven recommendations to DOD, including that cyber hygiene initiatives be fully implemented, entities are designated to monitor component completion of tasks and cyber hygiene practices, and senior DOD leaders receive information on cyber hygiene initiatives and practices. Of the seven recommendations, DOD concurred with one, partially concurred with four, and did not concur with two. GAO continues to believe that all recommendations are warranted. For more information, contact Joe Kirschbaum at (202) 512-9971 or kirschbaumj@gao.gov or Nick Marinos at (202) 512-9342 or marinosn@gao.gov.   Mon, 13 Apr 2020 00:00:00 -0400 https://www.gao.gov/products/GAO-20-412SP Why This Matters 5G wireless is expected to enhance data speeds and could enable transformative applications across transportation, manufacturing, medicine, and other sectors. While 5G could create significant economic opportunities, 5G also raises concerns about cybersecurity risks and associated national security implications, as well as several other challenges. The Technology What is it? 5G is a suite of fifth-generation wireless technologies that has the potential to greatly improve mobile communication in several ways. It may lead to faster and more responsive signals from cell phones and other devices. Moreover, it could deliver more reliable connections, higher energy efficiency, the ability to accommodate more devices, and faster network response times (also known as low latency). These improvements could enable transformative applications such as self-driving vehicles, "smart" manufacturing and agriculture, and remote medical treatment. As with 4G, the most important innovations may not be conceived of until the network is fully implemented. How does it work? 5G is expected to achieve these improvements in part by using more of the radio spectrum. The current 4G network uses radio frequencies less than 2.6 gigahertz (GHz), which are lower on the spectrum. 5G will begin using higher frequencies, including mid-band (up to 6GHz) and high-band, also known as millimeter wave (over 24GHz). Higher frequencies can support higher data rates, potentially enabling 5G to be over 20 times faster than 4G. However, as a signal's frequency gets higher, its range and ability to penetrate walls and other barriers decreases. To help overcome this obstacle, one approach is to use smaller, more numerous cell antennas, along with advanced technologies. For example, researchers are developing approaches that would enable each installation to use more antennas and to aim signals to and from antennas, potentially resulting in less interference and more energy efficiency. Each spectrum band will be best suited to different applications. For example, mid-band's combination of range and data capacity makes it suitable for what is called ultra-reliable and low-latency communication, which is required for applications like self-driving vehicles. High-band, because of its data capacity, will be best suited for dense urban environments or public gathering places like stadiums. How mature is it? In the United States, telecommunications companies have begun deploying some 5G capabilities within existing 4G networks. The resulting hybrid network can support a class of applications enabled by enhanced mobile broadband, which basically means improved speeds. Further improvements are expected to become available throughout the 2020s, as companies upgrade from hybrid networks to "stand-alone" 5G networks. Some of the technologies and specifications for other purposes—including ultra-reliable, low latency communications—remain in development. Additionally, telecommunications companies will need to upgrade their 4G network infrastructure to transition from hybrid networks to stand-alone 5G networks to facilitate a greatly expanded number of devices connected to the internet and mission-critical communications for applications like self-driving vehicles. Opportunities Enhanced broadband applications. Faster connections and higher throughput could enhance applications like cloud services, video streaming, gaming, and virtual and augmented reality. Internet of Things.5G could connect massive numbers of devices, such as sensors in systems for intelligent transportation and logistics, smart factories, and smart cities. For example, traffic light and road sensors could help reduce car accidents. Mission-critical communications. Ultra-reliable, low latency communications could enable more reliable operation of self-driving vehicles, industrial equipment, robots, and drones. Economic benefits. 5G deployment could bring new jobs and potentially billions of dollars in economic benefits to the United States. Challenges Spectrum management. To facilitate the growth of 5G, federal agencies may need to ensure the availability of spectrum, particularly in the congested mid-bands, while balancing the needs of existing users. Researchers are also developing new technologies to optimize the use of spectrum. Infrastructure deployment. Applications needing low latency and high bandwidth will need significant infrastructure, including fiber optic cables and small cells, which are installations about the size of a pizza box. This installation could be expensive, require skilled labor, and take time for local permitting, planning, and procurement. Cybersecurity. Although 5G is expected to deliver security enhancements, the large number of 5G network components increases the risk that some components will not be properly configured to take advantage of the security enhancements. The build-out of 5G has also raised national security concerns, in particular over the supply chain in which foreign companies are major players. Digital divide. 5G deployment is expected to start in dense urban areas. As a result, rural and lower-income areas could have less access to 5G and its benefits, widening the digital divide. Privacy. 5G networks could allow for much more precise location data because 5G devices are expected to connect to cells that are located much closer, such as feet away versus in previous generations where cells could be miles away. This precise location data could increase the risk to user privacy. Policy Context and Questions Although 5G is mainly being deployed by industry, governments and other organizations will decide how to use public resources, such as spectrum, and what obligations network operators will have to their users. Among the questions they will face are the following: How can federal agencies manage spectrum to balance the needs of existing users with the needs of 5G users? What are the trade-offs between the speed of 5G deployment and ensuring sufficient time for local review of the location of numerous small cell antennas? What are the cybersecurity risks of 5G networks and applications, and what can policymakers do to address these? How can policymakers ensure equitable access and benefits from 5G? What role can policymakers take to ensure that user privacy is protected as 5G networks are deployed? For more information, contact Karen Howard at 202-512-6888 or howardk@gao.gov. Thu, 26 Mar 2020 00:00:00 -0400 https://www.gao.gov/products/GAO-20-265 What GAO Found As GAO reported in September 2019, the Federal Communications Commission (FCC) bolstered the capacity and performance of the Electronic Comment Filing System (ECFS) to reduce the risk of future service disruptions. FCC also implemented numerous information security program and technical controls for three systems that were intended to safeguard the confidentiality, integrity, and availability of its information systems and information. However, GAO identified program and control deficiencies in the core security functions related to identifying risk, protecting systems from threats and vulnerabilities, detecting and responding to cyber security events, and recovering system operations. GAO made 136 recommendations to address these deficiencies (see table). Number of GAO-Identified Information Security Program and Technical Control Deficiencies at FCC and Associated Recommendations by Core Security Function, as of September 2019 Core Security Function Program- related deficiencies Program-related recommendations Technical control deficiencies Technical control– related recommendations Identify 3 4 0 0 Protect 1 1 37 108 Detect 0 0 6 17 Respond 2 2 1 2 Recover 2 2 0 0 Total 8 9 44 127   Source: GAO analysis of Federal Communications Commission information security program and technical controls. | GAO-20-265. As of November 2019, FCC had made significant progress in resolving many security deficiencies by fully implementing 85 (about 63 percent) of the 136 recommendations GAO made in September 2019. FCC had also partially implemented 10, but had not started to implement the remaining 41 recommendations (see figure). Status of the Federal Communications Commission's Efforts to Implement GAO Recommendations, as of November 2019 Additionally, FCC has created remedial action plans to implement the remaining recommendations by April 2021. Until FCC fully implements these recommendations and resolves the associated deficiencies, its information systems and information will remain at increased risk of misuse, improper disclosure or modification, and loss. Why GAO Did This Study FCC relies extensively on information systems to accomplish its mission of regulating interstate and international communications in the United States. FCC uses one such system, ECFS, to receive public comments about proposed changes in FCC regulations. In May 2017, a surge in comments caused a service disruption of ECFS during a public comment period. GAO was requested to review ECFS and the reported disruption. In September 2019, GAO issued a limited official use only report on the actions FCC took to respond to the May 2017 event, and the extent to which FCC had effectively implemented security controls to protect the confidentiality, integrity, and availability of selected systems. This current report is a public version of the September 2019 report with sensitive information removed. In addition, for this public report, GAO determined the extent to which FCC has taken corrective actions to address the previously identified security program and technical control deficiencies and related recommendations for improvement. In the prior report, GAO compared FCC's policies, procedures, and reports to federal cybersecurity laws and policies. GAO examined logical access controls and security management controls for three systems selected based on their significance to FCC. For this report, GAO examined supporting documents regarding FCC's actions on previously identified recommendations, observed controls in operation, and interviewed personnel at FCC. For more information, contact Vijay A. D’Souza at (202) 512-6240 or dsouzav@gao.gov. Wed, 25 Mar 2020 00:00:00 -0400 https://www.gao.gov/products/GAO-20-279 What GAO Found The 24 agencies participating in the Office of Management and Budget's (OMB) Data Center Optimization Initiative (DCOI) reported progress toward achieving OMB's fiscal year 2019 goals for closing unneeded data centers. As of August 2019, 23 of the 24 reported that they had met, or planned to meet, their fiscal year closure goals, and would close 286 facilities in doing so (see figure). Agencies also reported plans to close at least 37 of the remaining data centers. Agency-reported Data Centers Closed, Planned for Closure, and Remaining, as of August 31, 2019 OMB issued revised guidance in June 2019 that narrowed the scope of the type of facilities that would be defined as a data center. This revision eliminated the reporting of over 2,000 facilities government-wide. OMB had previously cited cybersecurity risks for these types of facilities. Without a requirement to report on these, important visibility is diminished, including oversight of security risks. The 24 DCOI agencies have reported a total of $4.7 billion in cost savings from fiscal years 2012 through 2019. Of the 24 agencies, 23 reported in August 2019 they had met, or planned to meet, OMB's fiscal year 2019 savings goal of $241.5 million. One agency did not complete a plan, but planned to do so in the future. Agencies also reported plans to save about $264 million in fiscal year 2020. The 24 agencies reported progress against OMB's three revised data center optimization metrics for virtualization, advanced energy monitoring, and server utilization. For a new fourth metric (availability), the data were not sufficiently reliable to report on because of unexpected variances in the information reported by the agencies. As of August 2019, eight agencies reported that they met all three targets for the metrics GAO reviewed, five met two targets, and six met one target. In addition, one agency had not established any targets, and four agencies reported that they no longer owned any data centers. While the three revised metrics' definitions included the key characteristics of being clearly defined and objective, none included statistical universe parameters that enable determinations of progress. Specifically, these metrics call for counts of the actual numbers of (1) virtualized servers, (2) data centers with advanced energy metering, and (3) underutilized servers; but the metrics did not include a count of the universe of all servers and all data centers. Accordingly, percentages cannot be calculated to determine progress–for example, the number of virtualized servers may increase, but if the universe of servers increases at a higher rate, then progress would actually be negative. Why GAO Did This Study In December 2014, Congress enacted federal IT acquisition reform legislation that included provisions related to ongoing federal data center consolidation efforts. OMB's Federal Chief Information Officer launched DCOI to build on prior data center consolidation efforts; improve federal data centers' performance; and establish goals for inventory closures, cost savings and avoidances, and optimization performance. The 2014 legislation included a provision for GAO to annually review agencies' data center inventories and strategies. This report addresses (1) agencies' progress and plans for data center closures and savings; and (2) agencies' progress against OMB's June 2019 revised data center optimization metrics. To do so, GAO assessed the 24 DCOI agencies' data center inventories as of August 2019, reviewed their reported cost savings documentation, evaluated their data center optimization strategic plans, and assessed their progress against OMB's established optimization targets. GAO also compared OMB's revised metrics to key characteristics of an effective performance measure. What GAO Recommends To improve DCOI reporting and performance, GAO is making four recommendations to OMB, and four to three selected agencies. The three agencies agreed with the recommendations while OMB did not state whether it agreed or disagreed. GAO continues to maintain that the four recommendations to OMB are warranted. For more information, contact Carol C. Harris at (202) 512-4456 or harriscc@gao.gov. Thu, 05 Mar 2020 00:00:00 -0500 https://www.gao.gov/products/GAO-20-299 What GAO Found Most of the nine agencies with a lead role in protecting the 16 critical infrastructure sectors, as established by federal policy and referred to as sector-specific agencies (SSAs), have not developed methods to determine the level and type of adoption of the National Institute of Standards and Technology's (NIST) Framework for Improving Critical Infrastructure Cybersecurity (framework), as GAO previously recommended. Specifically, two of the nine SSAs had developed methods and two others had begun taking steps to do so. The remaining five SSAs did not yet have methods to determine framework adoption. Most of the sectors (13 of 16), however, noted that they had taken steps to encourage and facilitate use of the framework, such as developing implementation guidance that links existing sector cybersecurity tools, standards, and approaches to the framework. In addition, all of the 12 selected organizations that GAO interviewed described either fully or partially using the framework. Nevertheless, implementing GAO's recommendations to the SSAs to determine the level and type of adoption remains essential to the success of protection efforts. The 12 selected organizations using the framework reported varying levels of resulting improvements. Such improvements included identifying risks and implementing common standards and guidelines. However, the SSAs have not collected and reported sector-wide improvements. The SSAs and organizations identified impediments to doing so, including the (1) lack of precise measurements of improvement, (2) lack of a centralized information sharing mechanism, and (3) voluntary nature of the framework. NIST and the Department of Homeland Security (DHS) have initiatives to help address these impediments. Precise measurements: NIST is in the process of developing an information security measurement program that aims to provide the tools and guidance to support the development of information security measures that are aligned with an individual organization's objectives. However, NIST has not established a time frame for the completion of the measurement program. Centralized sharing: DHS identified its homeland security information network as a tool that was intended to be the primary system that could be used by all sectors to report on best practices, including sector-wide improvements and lessons learned from using the framework. Voluntary nature: In April 2019, NIST issued its NIST Roadmap for Improving Critical Infrastructure Cybersecurity , version 1.1, which included a tool for organizations to self-assess how effectively they manage cybersecurity risks and identify improvement opportunities. While these initiatives are encouraging, the SSAs have not yet reported on sector-wide improvements. Until they do so, the extent to which the 16 critical infrastructure sectors are better protecting their critical infrastructures from threats will be largely unknown. Why GAO Did This Study Cyber threats to the nation's critical infrastructure (e.g., financial services and energy sectors) continue to increase and represent a significant national security challenge. To better address such threats, NIST developed, as called for by federal law, a voluntary framework of cybersecurity standards and procedures. The Cybersecurity Enhancement Act of 2014 included provisions for GAO to review aspects of the framework. The objectives of this review were to determine the extent to which (1) SSAs have developed methods to determine framework adoption and (2) implementation of the framework has led to improvements in the protection of critical infrastructure from cyber threats. GAO analyzed documentation, such as implementation guidance, plans, and survey instruments. GAO also conducted semi-structured interviews with 12 organizations, representing six infrastructure sectors, to understand the level of framework use and related improvements and challenges. GAO also interviewed agency and private sector officials. What GAO Recommends GAO is making ten recommendations—one to NIST on establishing time frames for completing selected programs—and nine to the SSAs to collect and report on improvements gained from using the framework. Eight agencies agreed with the recommendations, while one neither agreed nor disagreed and one partially agreed. GAO continues to believe that all ten recommendations are warranted. For more information, contact Vijay A. D'Souza at (202) 512-6240 or dsouzav@gao.gov. Tue, 25 Feb 2020 00:00:00 -0500 https://www.gao.gov/products/GAO-20-199 What GAO Found The Office of Congressional Workplace Rights (OCWR) did not incorporate key cybersecurity management practices into the planning for its Secure Online Claims Reporting and Tracking E-filing System (SOCRATES) project. While OCWR drafted a SOCRATES project schedule, the office did not finalize and use this schedule to manage cybersecurity activities, such as the time frames for conducting information technology (IT) system security assessments. In addition, the office did not document project cybersecurity risks, such as the office's reliance on external parties to implement responsibilities on its behalf. These weaknesses were due, in part, to a lack of policies and procedures for IT project planning. Until OCWR establishes and implements such policies and procedures, it will continue to have a limited ability to effectively manage and monitor the completion of cybersecurity activities for its IT projects. OCWR did not fully implement important oversight activities for two selected systems—SOCRATES and the system used to document occupational safety and health violations known as the Facility Management Assistant (FMA)—operated by external entities (see table). Extent to Which the Office of Congressional Workplace Rights (OCWR) Implemented Selected System Oversight Activities for Two Systems Operated by External Entities   Establish security and privacy requirements Plan assessment of security controls Conduct assessment Review assessment Secure Online Claims Reporting and Tracking E-filing System (SOCRATES) ◐ ◐ ◐ ◐ Facility Management Assistant (FMA) ◐ ○ ○ ○ Key: ● Fully implemented ◐ Partially implemented ○ Not implemented Source: GAO analysis of agency and external contractor data. | GAO-20-199 These shortfalls contributed to concerns with the deployment of SOCRATES in June 2019. For example, important security controls needed to ensure the confidentiality, integrity, and availability of the system were not fully tested before the system was deployed. In addition, penetration testing—where evaluators mimic real-world attacks in an attempt to identify ways to circumvent the security features of the system—was not fully completed before deployment. GAO plans to issue a separate report with limited distribution on its assessment of security controls intended to, among other things, prevent successful attacks. Although OCWR's strategic plan includes a goal of developing cybersecurity policies and procedures, the office had not fully established an effective approach for managing organization-wide cybersecurity risk. For example, OCWR designated an executive to oversee risk, but had not established the responsibilities of the official in the office's policies. Until OCWR improves its appoach to managing cybersecurity risks, its ability to make operational decisions that adequately address security risks will be hindered. Why GAO Did This Study OCWR is an independent, nonpartisan office that administers and enforces various provisions related to fair employment, and occupational safety and health within the legislative branch. To meet its mission, OCWR relies extensively on external parties, such as the Library of Congress, for IT support. In December 2018, Congress passed the Congressional Accountability Act of 1995 Reform Act (Reform Act) which, among other things, required OCWR to create a secure, online system to receive and keep track of claims related to employee rights and protections, such as sexual harassment and discrimination. To meet this requirement, OCWR initiated the SOCRATES project to upgrade its legacy claims management system. The Reform Act included a provision for GAO to review OCWR's cybersecurity practices. This report examines the extent to which OCWR (1) incorporated key cybersecurity management activities into project planning for its claims management system upgrade, (2) performed oversight of security controls and mitigated risks for selected systems operated by external parties on its behalf and, (3) established an effective approach for managing organization-wide cybersecurity risk. To address these objectives, GAO compared OCWR IT policies, procedures, strategic plans, and documentation for two selected systems to leading IT project planning, system oversight, and cybersecurity management practices. What GAO Recommends GAO is making five recommendations to OCWR to address weaknesses in cybersecurity management and oversight. OCWR did not state whether it agreed or disagreed with GAO's recommendations, but described actions planned or taken to address them. For more information, contact Nick Marinos at (202) 512-9342 or marinosn@gao.gov. Tue, 11 Feb 2020 00:00:00 -0500 https://www.gao.gov/products/GAO-20-267 What GAO Found Since the 2017 designation of election infrastructure as critical infrastructure, the Department of Homeland Security (DHS), through its Cybersecurity and Infrastructure Security Agency (CISA), has assisted state and local election officials in securing election infrastructure through regional support and assistance, education, and information sharing. Such efforts help state and local election officials protect various election assets from threats (see figure). Figure: Examples of Election Assets Subject to Physical or Cyber Threats In August 2019, the CISA Director identified election security as one of the agency's top five operational priorities. CISA security advisors, who are located throughout the country, consult with state and local election officials and identify voluntary, no cost services that CISA can provide. According to CISA, as of November 2019, 24 cybersecurity advisors and 100 protective security advisors perform and coordinate cyber and physical security assessments for the 16 critical infrastructure sectors, including the Election Infrastructure Subsector. Technical teams at CISA headquarters generally provide the services, once requested. To further assist state and local election officials, CISA conducted two exercises simulating real-world events and risks facing election infrastructure in August 2018 and June 2019. According to CISA, the 2019 exercise included 47 states and the District of Columbia. In addition, CISA has funded the Election Infrastructure Information Sharing and Analysis Center (EI-ISAC). According to CISA officials, the EI-ISAC is the primary mechanism for exchanging information about threats and vulnerabilities throughout the election community. The EI-ISAC director reported that, as of November 2019, its members included 50 states, the District of Columbia, and 2,267 local election jurisdictions, an increase from 1,384 local jurisdictions that were members in 2018. As a result of its efforts, CISA has provided a variety of services to states and local election jurisdictions in the past 2 years (see table). Table: Number of Selected Cybersecurity and Infrastructure Security Agency Services Provided to States and Local Election Jurisdictions in 2018 and 2019, as of November 6, 2019 Service States Local election jurisdictions Continuous scanning of internet-accessible systems for known vulnerabilities 40 161 Assessments of potential network security vulnerabilities 26 20 Remote testing of externally accessible systems for potential vulnerabilities 4 44 Assessments of states' and local jurisdictions' susceptibility to malicious emails 10 5 Educational posters on cybersecurity 19 1,202 Source: Cybersecurity and Infrastructure Security Agency. | GAO-20-267 State election officials with whom GAO spoke were generally satisfied with CISA's support to secure their election infrastructure. Specifically, officials from seven of the eight states GAO contacted said that they were very satisfied with CISA's election-related work. Also, officials from each of the eight states spoke positively about the information that they received from the EI-ISAC. Further, officials from five states told GAO that their relationship with CISA had improved markedly since 2017 and spoke highly of CISA's expertise and availability. To guide its support to states and local election jurisdictions for the 2020 elections, CISA reported that it is developing strategic and operations plans. CISA intended to finalize them by January 2020, but has faced challenges in its planning efforts due to a reorganization within CISA, among other things. In the absence of completed plans, CISA is not well-positioned to execute a nationwide strategy for securing election infrastructure prior to the start of the 2020 election cycle. Further, CISA's operations plan may not fully address all aspects outlined in its strategic plan, when finalized. Specifically, according to CISA officials, the operations plan is expected to identify organizational functions, processes, and resources for certain elements of two of the four strategic plan's lines of effort—protecting election infrastructure, and sharing intelligence and identifying threats. CISA officials stated that CISA was unlikely to develop additional operations plans for the other two lines of effort—providing security assistance to political campaigns, and raising public awareness on foreign influence threats and building resilience. Moreover, CISA has not developed plans for how it will address challenges, such as concerns about incident response, identified in two reviews—one conducted by CISA and the other done by an external entity under contract—of the agency's 2018 election security assistance. Challenges that the reviews identified include: inadequate tailoring of services, which could have made it more difficult for CISA to meet the resource and time constraints of customers such as local election jurisdictions; not always providing actionable recommendations in DHS classified threat briefings or making unclassified versions of the briefings available, which may have hindered election officials' ability to effectively communicate with information technology and other personnel in their agencies who did not have clearances; the inability of CISA personnel supporting election security operations to access social media websites from situational awareness rooms, which hindered their collection and analysis of threat information; few capabilities that CISA field staff could quickly provide on Election Day, which could limit the agency's timeliness in responding to an incident; and a lack of clarity regarding CISA's incident response capabilities in the event of a compromise that exhausts state and local resources, which may limit knowledge about agency capabilities that are available. Although CISA officials said that the challenges identified in the reviews have informed their strategic and operational planning, without finalized plans it is unknown whether CISA will address these challenges. Why GAO Did This Study In January 2017, the Secretary of Homeland Security designated election infrastructure as a critical infrastructure subsector. The designation allowed DHS to prioritize assistance to state and local election officials to protect key election assets, including voter registration databases and voting equipment. The Conference Report (H. Rep. No. 116-9) accompanying the 2019 Consolidated Appropriations Act included a provision for GAO to examine how DHS is implementing key responsibilities to help protect the election infrastructure and the reported benefits and challenges of such efforts. This report addresses (1) DHS's election security efforts and selected election officials' perspectives on them, and (2) DHS's planning for the 2020 elections. GAO reviewed DHS's strategies, plans, and services provided to election officials. GAO also interviewed DHS officials, representatives of the EI-ISAC, a DHS-funded center responsible for sharing threat information nationwide, and election officials from eight states and three local jurisdictions. GAO selected the states and local jurisdictions to provide geographic diversity and variation in election administration, among other factors. The results from these states and localities are not generalizable, but provide insight into election officials' perspectives on DHS's efforts. What GAO Recommends GAO is making three recommendations to the CISA Director to (1) urgently finalize the strategic plan and the supporting operations plan for securing election infrastructure for the upcoming elections, (2) ensure that the operations plan fully addresses all lines of effort in the strategic plan for securing election infrastructure for the upcoming elections, and (3) document how the agency intends to address challenges identified in its prior election assistance efforts and incorporate appropriate remedial actions into the agency's 2020 planning. DHS concurred with all three recommendations and provided estimated dates for implementing each of them. For more information, contact Vijay D'Souza at (202) 512-6240 or dsouzav@gao.gov. Thu, 06 Feb 2020 00:00:00 -0500 https://www.gao.gov/products/GAO-20-133 What GAO Found The Department of Homeland Security (DHS) has established a five-step process for developing and overseeing the implementation of binding operational directives, as authorized by the Federal Information Security Modernization Act of 2014 (FISMA). The process includes DHS coordinating with stakeholders early in the directives' development process and validating agencies' actions on the directives. However, in implementing the process, DHS did not coordinate with stakeholders early in the process and did not consistently validate agencies' self-reported actions. In addition to being a required step in the directives process, FISMA requires DHS to coordinate with the National Institute of Standards and Technology (NIST) to ensure that the directives do not conflict with existing NIST guidance for federal agencies. However, NIST officials told GAO that DHS often did not reach out to NIST on directives until 1 to 2 weeks before the directives were to be issued, and then did not always incorporate the NIST technical comments. More recently, DHS and NIST have started regular coordination meetings to discuss directive-related issues earlier in the process. Regarding validation of agency actions, DHS has done so for selected directives, but not for others. DHS is not well-positioned to validate all directives because it lacks a risk-based approach as well as a strategy to check selected agency-reported actions to validate their completion. Directives' implementation often has been effective in strengthening federal cybersecurity. For example, a 2015 directive on critical vulnerability mitigation required agencies to address critical vulnerabilities discovered by DHS cyber scans of agencies' internet-accessible systems within 30 days. This was a new requirement for federal agencies. While agencies did not always meet the 30-day requirement, their mitigations were validated by DHS and reached 87 percent compliance by 2017 (see fig. 1). DHS officials attributed the recent decline in percentage completion to a 35-day partial government shutdown in late 2018/early 2019. Nevertheless, for the 4-year period shown in the figure below, agencies mitigated within 30 days about 2,500 of the 3,600 vulnerabilities identified. Figure 1: Critical Vulnerabilities Mitigated within 30 days, May 21, 2015 through May 20, 2019 Agencies also made reported improvements in securing or replacing vulnerable network infrastructure devices. Specifically, a 2016 directive on the Threat to Network Infrastructure Devices addressed, among other things, several urgent vulnerabilities in the targeting of firewalls across federal networks and provided technical mitigation solutions. As shown in figure 2, in response to the directive, agencies reported progress in mitigating risks to more than 11,000 devices as of October 2018. Figure 2: Federal Civilian Agency Vulnerable Network Infrastructure Devices That Had Not Been Mitigated, September 2016 through January 2019 In addition, GAO reviewed DHS policies and processes related to the directives and assessed them against FISMA and Office of Management and Budget requirements; administered a data collection instrument to selected federal agencies; compared the agencies' responses and supporting documentation to the requirements outlined in the five directives; and collected and analyzed DHS's government-wide scanning data on government-wide implementation of the directives. GAO also interviewed DHS and selected agency officials. Why GAO Did This Study DHS plays a key role in federal cybersecurity. FISMA authorized DHS, in consultation with the Office of Management and Budget, to develop and oversee the implementation of compulsory directives—referred to as binding operational directives—covering executive branch civilian agencies. These directives require agencies to safeguard federal information and information systems from a known or reasonably suspected information security threat, vulnerability, or risk. Since 2015, DHS has issued eight directives that instructed agencies to, among other things, (1) mitigate critical vulnerabilities discovered by DHS through its scanning of agencies' internet-accessible systems; (2) address urgent vulnerabilities in network infrastructure devices identified by DHS; and (3) better secure the government's highest value and most critical information and system assets. GAO was requested to evaluate DHS's binding operational directives. This report addresses (1) DHS's process for developing and overseeing the implementation of binding operational directives and (2) the effectiveness of the directives, including agencies' implementation of the directive requirements. GAO selected for review the five directives that were in effect as of December 2018, and randomly selected for further in-depth review a sample of 12 agencies from the executive branch civilian agencies to which the directives apply. What GAO Recommends GAO is making four recommendations to DHS: (1) determine when in the directive development process—for example, during early development and at directive approval—coordination with relevant stakeholders, including NIST, should occur; (2) develop a strategy for when and how to independently validate selected agencies' self-reported actions on meeting directive requirements, where feasible, using a risk-based approach; (3) ensure that the directive performance metric for addressing vulnerabilities identified in high value asset assessments aligns with the process DHS has established; and (4) develop a schedule and plan for completing the high value asset program reassessment and addressing the outstanding issues on completing the required assessments, identifying needed resources, and finalizing guidance to agencies and third parties. DHS concurred with GAO's recommendations and outlined steps and associated timelines that it planned to take to address the recommendations. Another key DHS directive is Securing High Value Assets, an initiative to protect the government's most critical information and system assets. According to this directive, DHS is to lead in-depth assessments of federal agencies' most essential identified high value assets. However, an important performance metric for addressing vulnerabilities identified by these assessments does not account for agencies submitting remediation plans in cases where weaknesses cannot be fully addressed within 30 days. Further, DHS only completed about half of the required assessments for the most recent 2 years (61 of 142 for fiscal year 2018, and 73 of 142 required assessments for fiscal year 2019 (see fig. 3)). In addition, DHS does not plan to finalize guidance to agencies and third parties, such as contractors or agency independent assessors, for conducting reviews of additional high value assets that are considered significant, but are not included in DHS's current review, until the end of fiscal year 2020. Given these shortcomings, DHS is now reassessing key aspects of the program. However, it does not have a schedule or plan for completing this reassessment, or to address outstanding issues on completing required assessments, identifying needed resources, and finalizing guidance to agencies and third parties. Figure 3: Department of Homeland Security Assessments of Agency High Value Assets, Fiscal Years (FY) 2018 through 2019 For more information, contact Vijay A. D’Souza at (202) 512-6240 or dsouzav@gao.gov. Tue, 04 Feb 2020 00:00:00 -0500 https://www.gao.gov/products/GAO-20-126 What GAO Found The 24 federal agencies GAO surveyed reported using the Federal Risk and Authorization Management Program (FedRAMP) for authorizing cloud services. From June 2017 to July 2019, the number of authorizations granted through FedRAMP by the 24 agencies increased from 390 to 926, a 137 percent increase. However, 15 agencies reported that they did not always use the program for authorizing cloud services. For example, one agency reported that it used 90 cloud services that were not authorized through FedRAMP and the other 14 agencies reported using a total of 157 cloud services that were not authorized through the program. In addition, 31 of 47 cloud service providers reported that during fiscal year 2017, agencies used providers' cloud services that had not been authorized through FedRAMP. Although the Office of Management and Budget (OMB) required agencies to use the program, it did not effectively monitor agencies' compliance with this requirement. Consequently, OMB may have less assurance that cloud services used by agencies meet federal security requirements. Four selected agencies did not consistently address key elements of the FedRAMP authorization process (see table). Officials at the agencies attributed some of these shortcomings to a lack of clarity in the FedRAMP guidance. Agency Implementation of Key Elements of the FedRAMP Authorization Process   HHS GSA EPA USAID Element         Control implementation summaries identified security control responsibilities ● ● ● ● Security plans addressed required information on control implementation ◐ ◐ ◐ ● Security assessment reports summarized results of control tests ◐ ◐ ◐ ● Remedial action plans addressed required information ◐ ◐ ◐ ◐ Cloud service authorizations prepared and provided to FedRAMP Program Office ◐ ● ◐ ◐ Legend: ● fully addressed the element ◐ partially addressed the element FedRAMP = Federal Risk and Authorization Management Program; HHS = Department of Health and Human Services; GSA = General Services Administration; EPA = Environmental Protection Agency; USAID = U.S. Agency for International Development Source: GAO analysis of agency documentation| GAO-20-126 Program participants identified several benefits, but also noted challenges with implementing the FedRAMP. For example, almost half of the 24 agencies reported that the program had improved the security of their data. However, participants reported ongoing challenges with resources needed to comply with the program. GSA took steps to improve the program, but its FedRAMP guidance on requirements and responsibilities was not always clear and the program's process for monitoring the status of security controls over cloud services was limited. Until GSA addresses these challenges, agency implementation of the program's requirements will likely remain inconsistent. Why GAO Did This Study Federal agencies use internet-based (cloud) services to fulfill their missions. GSA manages FedRAMP, which provides a standardized approach to ensure that cloud services meet federal security requirements. OMB requires agencies to use FedRAMP to authorize the use of cloud services. GAO was asked to review FedRAMP. The objectives were to determine the extent to which 1) federal agencies used FedRAMP to authorize cloud services, 2) selected agencies addressed key elements of the program's authorization process, and 3) program participants identified FedRAMP benefits and challenges. GAO analyzed survey responses from 24 federal agencies and 47 cloud service providers. GAO also reviewed policies, plans, procedures, and authorization packages for cloud services at four selected federal agencies and interviewed officials from federal agencies, the FedRAMP program office, and OMB. What GAO Recommends GAO is making one recommendation to OMB to enhance oversight, two to GSA to improve guidance and monitoring, and 22 to the selected agencies, including GSA. GSA and HHS agreed with the recommendations, USAID generally agreed, EPA generally disagreed, and OMB neither agreed nor disagreed. GAO revised four recommendations and withdrew one based on new information provided; it maintains that the remaining recommendations are warranted. For more information, contact Gregory C. Wilshusen at (202) 512-6244 or wilshuseng@gao.gov. Thu, 12 Dec 2019 00:00:00 -0500 https://www.gao.gov/products/GAO-20-256T What GAO Found Federal agencies, including the Department of Veterans Affairs (VA), continue to have deficient information security programs. For example, in fiscal year 2018, inspectors general (IGs) used a five-level maturity model to rate agency information security policies, procedures, and practices related to the five core security functions— identify , protect , detect , respond , and recover —established by the National Institute of Standards and Technology's cybersecurity framework. VA's ratings were generally consistent with the ratings of other major agencies (see figure) and its information security program was one of 18 agency programs that IGs deemed ineffective. Maturity Level Ratings for the Cybersecurity Framework Core Security Functions for 24 Major Agencies, including the Department of Veterans Affairs (VA), for Fiscal Year 2018 Most major agencies, including VA, had significant security control deficiencies over their financial reporting. For example, for fiscal year 2018, VA's IG reported deficiencies in control areas, such as security management, access control, configuration management, segregation of duties, and contingency planning. Additionally, as of fiscal year 2018, VA reported meeting six of the 10 cybersecurity performance targets set by the administration. VA faces several security challenges as it secures and modernizes its information systems. These challenges pertain to effectively implementing information security controls; mitigating known vulnerabilities; establishing elements of its cybersecurity risk management program; and identifying critical cybersecurity staffing needs. VA also faces the additional challenge of managing IT supply chain risks as the department takes steps to modernize its information systems. Why GAO Did This Study In providing health care and other benefits to veterans and their dependents, VA relies extensively on IT systems and networks to receive, process, and maintain sensitive data, including veterans' medical records and other personally identifiable information. Accordingly, effective security controls based on federal guidance and requirements are essential to ensure that VA's systems and information are adequately protected from loss, unauthorized disclosure, inadvertent or deliberate misuse, or improper modification, and are available when needed. For this testimony, GAO summarized the status of information security across the federal government and particularly at VA. It also discusses the security challenges that VA faces as it modernizes and secures its information systems. To develop this statement, GAO reviewed its prior reports and relevant Office of Management and Budget, IG, and agency reports. What GAO Recommends In 2016, GAO recommended 74 actions for VA to take to address deficiencies and improve its cybersecurity program. However, as of October 2019, VA had not demonstrated that it had addressed 42 of these recommendations. In 2019, GAO made four additional recommendations to improve the department's cybersecurity risk management program and one recommendation to accurately identify work roles of IT and cybersecurity workforce positions. VA concurred with these recommendations and planned to implement them.   For more information, contact Gregory C. Wilshusen at (202) 512-6244 or wilshuseng@gao.gov. Thu, 14 Nov 2019 00:00:00 -0500 https://www.gao.gov/products/GAO-19-332 What GAO Found The electric grid faces significant cybersecurity risks: Threat actors. Nations, criminal groups, terrorists, and others are increasingly capable of attacking the grid. Vulnerabilities. The grid is becoming more vulnerable to cyberattacks—particularly those involving industrial control systems that support grid operations. (The figure below is a high-level depiction of ways in which an attacker could compromise industrial control systems.) The increasing adoption of high-wattage consumer Internet of Things devices—“smart” devices connected to the internet—and the use of the global positioning system to synchronize grid operations are also vulnerabilities. Impacts. Although cybersecurity incidents reportedly have not resulted in power outages domestically, cyberattacks on industrial control systems have disrupted foreign electric grid operations. In addition, while recent federal assessments indicate that cyberattacks could cause widespread power outages in the United States, the scale of power outages that may result from a cyberattack is uncertain due to limitations in those assessments. Potential Ways an Attacker Could Compromise Industrial Control System Devices Although the Department of Energy (DOE) has developed plans and an assessment to implement a federal strategy for addressing grid cybersecurity risks, these documents do not fully address all of the key characteristics needed for a national strategy. For example, while DOE conducted a risk assessment, that assessment had significant methodological limitations and did not fully analyze grid cybersecurity risks. One such key limitation was that the assessment used a model that covered only a portion of the grid and reflected how that portion existed around 1980. Until DOE has a complete grid cybersecurity plan, the guidance the plan provides decision makers in allocating resources to address those risks will likely be limited. The Federal Energy Regulatory Commission (FERC)—the regulator for the interstate transmission of electricity—has approved mandatory grid cybersecurity standards. However, it has not ensured that those standards fully address leading federal guidance for critical infrastructure cybersecurity—specifically, the National Institute of Standards and Technology (NIST) Cybersecurity Framework. (See table below for an excerpt of GAO's analysis of two of the five framework functions.) Without a full consideration of the framework, there is increased risk that grid entities will not fully implement leading cybersecurity practices. Extent to Which FERC-Approved Cybersecurity Standards Address the National Institute of Standards and Technology Cybersecurity Framework's Identify and Protect Functions Function GAO assessment Category GAO assessment Identify   ◑     Asset management ◑ Business environment ○ Governance ◑ Risk assessment ◕ Risk management strategy ○ Supply chain risk management ◑ Protect           ◕           Identity management, authentication, and access control ● Awareness and training ◑ Data security ◑ Information protection processes and procedures ◕ Maintenance ◑ Protective technology ◑ Legend: ●—Fully address. ◕—Substantially address. ◑—Partially address. ◔—Minimally address.○—Do not address . Source: GAO analysis of Federal Energy Regulatory Commission (FERC)-approved cybersecurity standards. | GAO-19-332 In addition, FERC's approved threshold for which entities must comply with the requirements in the full set of grid cybersecurity standards is based on an analysis that did not evaluate the potential risk of a coordinated cyberattack on geographically distributed targets. Such an attack could target, for example, a combination of geographically dispersed systems that each fall below the threshold for complying with the full set of standards. Responding to such an attack could be more difficult than to a localized event since resources may be geographically distributed rather than concentrated in the same area. Without information on the risk of such an attack, FERC does not have assurance that its approved threshold for mandatory compliance adequately responds to that risk. Why GAO Did This Study The nation's electric grid—the commercial electric power generation, transmission, and distribution system comprising power lines and other infrastructure—delivers the electricity that is essential for modern life. As a result, the reliability of the grid—its ability to meet consumers' electricity demand at all times—has been of long-standing national interest. GAO was asked to review the cybersecurity of the grid. Among other things, this report (1) describes the cybersecurity risks facing the grid, (2) assesses the extent to which DOE has defined a strategy for addressing grid cybersecurity risks, and (3) assesses the extent to which FERC-approved standards address grid cybersecurity risks. To do so, GAO developed a list of cyber actors that could pose a threat to the grid; identified key vulnerable components and processes that could be exploited; and reviewed studies on the potential impact of cyberattacks on the grid by reviewing prior GAO and industry reports, as well as interviewing representatives from federal and nonfederal entities. GAO also analyzed DOE's approaches to implementing a federal cybersecurity strategy for the energy sector as it relates to the grid and assessed FERC oversight of cybersecurity standards for the grid. What GAO Recommends GAO is making three recommendations—one to DOE and two to FERC. GAO is making a recommendation to DOE to develop a plan aimed at implementing the federal cybersecurity strategy for the grid and ensure that the plan addresses the key characteristics of a national strategy, including a full assessment of cybersecurity risks to the grid. GAO is also making the following two recommendations to FERC: 1. Consider adopting changes to its approved cybersecurity standards to more fully address the NIST Cybersecurity Framework. 2. Evaluate the potential risk of a coordinated cyberattack on geographically distributed targets and, based on the results of that evaluation, determine if changes are needed in the threshold for mandatory compliance with requirements in the full set of cybersecurity standards. DOE and FERC agreed with GAO’s recommendations. For more information, contact Frank Rusco at (202) 512-3841 or ruscof@gao.gov or Nick Marinos at (202) 512-9342 or marinosn@gao.gov. Mon, 26 Aug 2019 00:00:00 -0400 https://www.gao.gov/products/GAO-19-545 What GAO Found During fiscal year 2018, many federal agencies were often not adequately or effectively implementing their information security policies and practices. For example, most of the 16 agencies GAO selected for review had deficiencies related to implementing the eight elements of an agency-wide information security program required by the Federal Information Security Modernization Act of 2014 (FISMA) (see figure) . Further, inspectors general (IGs) reported that 18 of the 24 Chief Financial Officers (CFO) Act of 1990 agencies did not have effective agency-wide information security programs. GAO and IGs have previously made numerous recommendations to agencies to address such deficiencies, but many of these recommendations remain unimplemented. Number of 16 Selected Agencies with Deficiencies in the Eight Elements of an Information Security Program, as Required by the Federal Information Security Modernization Act of 2014 With certain exceptions, the Office of Management and Budget (OMB), Department of Homeland Security (DHS), and National Institute of Standards and Technology (NIST) were generally implementing their government-wide FISMA requirements, including issuing guidance and implementing programs that are intended to improve agencies' information security. However, OMB has not submitted its required FISMA report to Congress for fiscal year 2018 and has reduced the number of agencies at which it holds CyberStat meetings from 24 in fiscal year 2016 to three in fiscal year 2018—thereby restricting key activities for overseeing agencies' implementation of information security. Also, OMB, in collaboration with the Council of Inspectors General for Integrity and Efficiency (CIGIE), did not include a metric for system security plans, one of the required information security program elements, in its guidance on FISMA reporting. As a result, oversight of agencies' information security programs was diminished. Why GAO Did This Study For 22 years, GAO has designated information security as a government-wide high-risk area. FISMA requires federal agencies to develop, document, and implement information security programs and have independent evaluations of those programs and practices. It also assigns government-wide responsibilities for information security to OMB, DHS, and NIST. FISMA includes a provision for GAO to periodically report to Congress on agencies' implementation of the act. GAO's objectives in this report were to (1) describe the reported adequacy and effectiveness of selected federal agencies' information security policies and practices and (2) evaluate the extent to which OMB, DHS, and NIST have implemented their government-wide FISMA requirements. GAO categorized information security deficiencies as reported by 16 randomly selected agencies and their IGs according to the elements of an information security program; evaluated IG reports for 24 CFO Act agencies; examined OMB, DHS, and NIST documents; and interviewed agency officials. What GAO Recommends GAO is making three recommendations to OMB to (1) submit its FISMA report to Congress for fiscal year 2018, (2) expand its coordination of CyberStat meetings with agencies, and (3) collaborate with CIGIE to update the inspector general FISMA reporting metrics to include assessing system security plans. OMB generally agreed with GAO's recommendations. For more information, contact Gregory C. Wilshusen at (202) 512-6244 or wilshuseng@gao.gov. Fri, 26 Jul 2019 00:00:00 -0400 https://www.gao.gov/products/GAO-19-384 What GAO Found Key practices for establishing an agency-wide cybersecurity risk management program include designating a cybersecurity risk executive, developing a risk management strategy and policies to facilitate risk-based decisions, assessing cyber risks to the agency, and establishing coordination with the agency's enterprise risk management (ERM) program. Although the 23 agencies GAO reviewed almost always designated a risk executive, they often did not fully incorporate other key practices in their programs: Twenty-two agencies established the role of cybersecurity risk executive, to provide agency-wide management and oversight of risk management. Sixteen agencies have not fully established a cybersecurity risk management strategy to delineate the boundaries for risk-based decisions. Seventeen agencies have not fully established agency- and system-level policies for assessing, responding to, and monitoring risk. Eleven agencies have not fully established a process for assessing agency-wide cybersecurity risks based on an aggregation of system-level risks. Thirteen agencies have not fully established a process for coordinating between their cybersecurity and ERM programs for managing all major risks. Until they address these practices, agencies will face an increased risk of cyber-based incidents that threaten national security and personal privacy. Agencies identified multiple challenges in establishing and implementing cybersecurity risk management programs (see table). Agency Challenges in Establishing Cybersecurity Risk Management Programs Challenge Agencies reporting challenge Hiring and retaining key cybersecurity management personnel 23 Managing competing priorities between operations and cybersecurity 19 Establishing and implementing consistent policies and procedures 18 Establishing and implementing standardized technology capabilities 18 Receiving quality risk data 18 Using federal cybersecurity risk management guidance 16 Developing an agency-wide risk management strategy 15 Incorporating cyber risks into enterprise risk management 14 Source: GAO analysis of agency data. | GAO-19-384 In response to a May 2017 executive order, the Office of Management and Budget (OMB) and Department of Homeland Security (DHS) identified areas for improvement in agencies' capabilities for managing cyber risks. Further, they have initiatives under way that should help address four of the challenges identified by agencies—hiring and retention, standardizing capabilities, receiving quality risk data, and using guidance. However, OMB and DHS did not establish initiatives to address the other challenges on managing conflicting priorities, establishing and implementing consistent policies, developing risk management strategies, and incorporating cyber risks into ERM. Without additional guidance or assistance to mitigate these challenges, agencies will likely continue to be hindered in managing cybersecurity risks. Why GAO Did This Study Federal agencies face a growing number of cyber threats to their systems and data. To protect against these threats, federal law and policies emphasize that agencies take a risk-based approach to cybersecurity by effectively identifying, prioritizing, and managing their cyber risks. In addition, OMB and DHS play important roles in overseeing and supporting agencies' cybersecurity risk management efforts. GAO was asked to review federal agencies' cybersecurity risk management programs. GAO examined (1) the extent to which agencies established key elements of a cybersecurity risk management program; (2) what challenges, if any, agencies identified in developing and implementing cybersecurity risk management programs; and (3) steps OMB and DHS have taken to meet their risk management responsibilities and address any challenges agencies face. To do this, GAO reviewed policies and procedures from 23 civilian Chief Financial Officers Act of 1990 agencies and compared them to key federal cybersecurity risk management practices, obtained agencies' views on challenges they faced, identified and analyzed actions taken by OMB and DHS to determine whether they address agency challenges, and interviewed responsible agency officials. What GAO Recommends GAO is making 57 recommendations to the 23 agencies and one to OMB, in coordination with DHS, to assist agencies in addressing challenges. Seventeen agencies agreed with the recommendations, one partially agreed, and four, including OMB, did not state whether they agreed or disagreed. GAO continues to believe all its recommendations are warranted. For more information, contact Nick Marinos at (202) 512-9342 or marinosn@gao.gov. Thu, 25 Jul 2019 00:00:00 -0400 https://www.gao.gov/products/GAO-19-474R What GAO Found During its audit of the Internal Revenue Service's (IRS) fiscal years 2018 and 2017 financial statements, GAO identified new deficiencies in information system security controls that along with unresolved control deficiencies from prior audits collectively represent a significant deficiency in the agency's internal control over financial reporting systems. Specifically, GAO identified 14 new deficiencies in information system security controls over certain IRS financial and tax processing systems that are relevant to internal control over financial reporting. Of the 14 new deficiencies, eight were related to access controls, four were related to configuration management, one was related to segregation of duties, and one was related to contingency planning. In a separately issued LIMITED OFFICIAL USE ONLY report, GAO communicated to IRS management detailed information regarding the 14 new information system security control deficiencies and made 20 recommendations to address them. In addition, GAO found that as of September 30, 2018, IRS had completed corrective actions to address information system security control deficiencies associated with 46 of the 154 recommendations resulting from GAO's financial audits, and as a result, these recommendations were closed. GAO closed one additional recommendation that was no longer relevant because of changes in the agency's operating environment. In the LIMITED OFFICIAL USE ONLY report, GAO communicated to IRS management the status of previously reported recommendations as of September 30, 2018. As a result, IRS has 127 GAO recommendations to address—the 107 remaining open recommendations from GAO's prior financial audits and the 20 new recommendations GAO made in the LIMITED OFFICIAL USE ONLY report. Until these new and continuing control deficiencies are fully addressed, IRS financial reporting and taxpayer data will remain unnecessarily vulnerable to inappropriate and undetected use, modification, or disclosure. Status of GAO Recommendations to IRS for Addressing Information System Security Control Deficiencies  Information system security control area Open recommendations from prior audits  Prior recommendations closed as of September 30, 2018 New recommendations resulting from FY 2018 audit Total  remaining open recommendations    Access controls 106 24 11 93 Configuration management 32 13 7 26 Segregation of duties 1 1 1 1 Contingency planning 2 2 1 1 Information security program 13 7 — 6 Total 154 47 20 127 Legend: FY = fiscal year; — = no recommendation made. Source: GAO analysis of Internal Revenue Service (IRS) data.  |  GAO-19-474R Why GAO Did This Study This report presents the new information system security control deficiencies identified during GAO's audit of IRS's fiscal years 2018 and 2017 financial statements based on its fiscal year 2018 testing of controls over certain IRS financial and tax processing systems relevant to internal control over financial reporting. This report also includes the results of GAO's fiscal year 2018 follow-up on the status of IRS's corrective actions to address information system control deficiencies and associated recommendations contained in GAO's prior years' reports that were open at the beginning of GAO's fiscal year 2018 audit. What GAO Recommends In a separately issued LIMITED OFFICIAL USE ONLY report, GAO made 20 recommendations to address the 14 new information system security control deficiencies related to access controls, configuration management, segregation of duties, and contingency planning. In commenting on a draft of the separately issued LIMITED OFFICIAL USE ONLY report, IRS agreed with our recommendations and stated that it will ensure that its corrective actions include root cause analysis for sustainable fixes that implement appropriate security controls. GAO will evaluate the effectiveness of IRS's efforts to address these deficiencies during its audit of IRS's fiscal year 2019 financial statements. For more information, contact Cheryl E. Clark at (202) 512-9377 or clarkce@gao.gov or Nancy R. Kingsbury at (202) 512-2700 or kingsburyn@gao.gov. Thu, 18 Jul 2019 00:00:00 -0400 https://www.gao.gov/products/GAO-19-288 What GAO Found Remote identity proofing is the process federal agencies and other entities use to verify that the individuals who apply online for benefits and services are who they claim to be. To perform remote identity proofing, agencies that GAO reviewed rely on consumer reporting agencies (CRAs) to conduct a procedure known as knowledge-based verification. This type of verification involves asking applicants seeking federal benefits or services personal questions derived from information found in their credit files, with the assumption that only the true owner of the identity would know the answers. If the applicant responds correctly, their identity is considered to be verified. For example, the Social Security Administration (SSA) uses this technique to verify the identities of individuals seeking access to the “My Social Security” service, which allows them to check the status of benefit applications, request a replacement Social Security or Medicare card, and request other services. However, data stolen in recent breaches, such as the 2017 Equifax breach, could be used fraudulently to respond to knowledge-based verification questions. The risk that an attacker could obtain and use an individual's personal information to answer knowledge-based verification questions and impersonate that individual led the National Institute of Standards and Technology (NIST) to issue guidance in 2017 that effectively prohibits agencies from using knowledge-based verification for sensitive applications. Alternative methods are available that provide stronger security, as shown in Figure 1. However, these methods may have limitations in cost, convenience, and technological maturity, and they may not be viable for all segments of the public. Figure 1: Examples of Alternative Identity Verification and Validation Methods that Federal Agencies Have Reported Using Two of the six agencies that GAO reviewed have eliminated knowledge-based verification. Specifically, the General Services Administration (GSA) and the Internal Revenue Service (IRS) recently developed and began using alternative methods for remote identity proofing for their Login.gov and Get Transcript services that do not rely on knowledge-based verification. One agency—the Department of Veterans Affairs (VA)—has implemented alternative methods for part of its identity proofing process but still relies on knowledge-based verification for some individuals. SSA and the United States Postal Service (USPS) intend to reduce or eliminate their use of knowledge-based verification sometime in the future but do not yet have specific plans for doing so. The Centers for Medicare and Medicaid Services (CMS) has no plans to reduce or eliminate knowledge-based verification for remote identity proofing. Several officials cited reasons for not adopting alternative methods, including high costs and implementation challenges for certain segments of the public. For example, mobile device verification may not always be viable because not all applicants possess mobile devices that can be used to verify their identities. Nevertheless, until these agencies take steps to eliminate their use of knowledge-based verification, the individuals they serve will remain at increased risk of identity fraud. NIST has issued guidance to agencies related to identity proofing and OMB has drafted identity management guidance, but their guidance is not sufficient to ensure agencies are adopting such methods. Sound practices in information technology (IT) management state that organizations should provide clear direction on how to implement IT objectives. However, NIST's guidance does not provide direction to agencies on how to successfully implement alternative identity-proofing methods with currently available technologies for all segments of the public. For example, the guidance does not discuss the advantages and limitations of currently available technologies or make recommendations to agencies on which technologies should be adopted. Further, most of the agencies that GAO reviewed reported that they were not able to implement the guidance because of limitations in available technologies for implementing alternative identify proofing methods. NIST officials stated that they believe their guidance is comprehensive, and at the time of our review they did not plan to issue supplemental implementation guidance to assist agencies. The Federal Information Security Modernization Act of 2014 ( FISMA) requires that OMB oversee federal agencies' information security practices. Although OMB has the authority under this statute to issue guidance, OMB has not issued guidance requiring agencies to report on their progress in implementing NIST's identity proofing guidance. OMB staff plan to issue guidance on identity management at federal agencies, but their proposed guidance does not require agencies to report on their progress in implementing NIST guidance. Until NIST provides additional guidance to help agencies move away from knowledge-based verification methods and OMB requires agencies to report on their progress, federal agencies will likely continue to struggle to strengthen their identify proofing processes. Why GAO Did This Study Many federal agencies rely on CRAs, such as Equifax, to help conduct remote identity proofing. The 2017 breach of data at Equifax raised concerns about federal agencies' remote identity proofing processes. GAO was asked to review federal agencies' remote identity proofing practices in light of the recent Equifax breach and the potential for fraud. The objectives of this review were to (1) describe federal practices for remote identity proofing and the risks associated with those practices, (2) assess federal agencies' actions to ensure the effectiveness of agencies' remote identity proofing processes, and (3) assess the sufficiency of federal identity proofing guidance. To do so, GAO identified remote identity proofing practices used by six agencies (CMS, GSA, IRS, SSA, USPS, and VA) with major, public-facing web applications providing public access to benefits or services. GAO compared the agencies' practices to NIST's remote identity proofing guidance to assess their effectiveness, and compared NIST's and OMB's guidance to requirements in federal law and best practices in IT management to assess the sufficiency of the guidance. What GAO Recommends GAO is making recommendations to six agencies to strengthen online identify verification processes: GAO recommends that CMS, SSA, USPS, and VA develop plans to strengthen their remote identity proofing processes by discontinuing knowledge-based verification. GAO recommends that NIST supplement its technical guidance with implementation guidance to assist agencies in adopting more secure remote identity proofing processes. GAO recommends that OMB issue guidance requiring federal agencies to report on their progress in adopting secure identity proofing practices. Four agencies—Commerce (on behalf of NIST), SSA, USPS, and VA—agreed with GAO's recommendations. These agencies outlined the additional steps they plan to take to improve the security of their remote identity proofing processes. One agency, HHS (on behalf of CMS), disagreed with GAO's recommendation because it did not believe that the available alternatives to knowledge-based verification were feasible for the individuals it serves. However, a variety of alternative methods exist, and GAO continues to believe CMS should develop a plan for discontinuing the use of knowledge-based verification. OMB provided a technical comment, which GAO incorporated, but OMB did not provide any comments on GAO's recommendation. For more information, contact Nick Marinos at (202) 512-9342 or MarinosN@gao.gov, or Michael Clements at (202) 512-8678 or ClementsM@gao.gov. Fri, 17 May 2019 00:00:00 -0400 https://www.gao.gov/products/GAO-19-340 What GAO Found Federal law and guidance require that the Internal Revenue Service (IRS) protect the confidentiality, integrity, and availability of the sensitive financial and taxpayer information that resides on its systems. However, taxpayer information held by third-party providers—such as paid tax return preparers and tax preparation software providers—generally falls outside of these requirements, according to IRS officials. In 2018, about 90 percent of individual taxpayers had their tax returns electronically filed by paid preparers or used tax preparation software to prepare and file their own returns. How Individual Tax Returns Were Filed, Calendar Year 2018 IRS seeks to help safeguard electronic tax return filing for various types of third-party providers through requirements under its Authorized e-file Provider program. However, IRS’s efforts do not provide assurance that taxpayers’ information is being adequately protected. Paid Preparers. IRS has not developed minimum information security requirements for the systems used by paid preparers or Authorized e-file Providers. According to IRS’s Office of Chief Counsel, IRS does not have the explicit authority to regulate security for these systems. Instead, the Internal Revenue Code gives IRS broad authority to administer and supervise the internal revenue laws. The Department of the Treasury has previously requested additional authority to regulate the competency of all paid preparers; GAO has also suggested that Congress consider granting IRS this authority. Congress has not yet provided such authority. Neither the Department of the Treasury request nor the GAO suggestion included granting IRS authority to regulate the security of paid preparers’ systems. Having such authority would enable IRS to establish minimum requirements. Further, having explicit authority to establish security standards for Authorized e-file Providers’ systems may help IRS better ensure the protection of taxpayers’ information. Tax Software Providers. As part of a public-private partnership between IRS and the tax preparation industry, 15 tax software providers voluntarily adhere to a set of about 140 information security controls developed using guidance from the National Institute of Standards and Technology (NIST). However, these controls are not required, and these providers represent only about one-third of all tax software providers. Additionally, IRS established six security, privacy, and business standards for providers of software that allows individuals to prepare their own tax returns (as opposed to software that paid preparers use). However, IRS has not substantially updated these standards since 2010, and they are, at least in part, outdated. For example, IRS cites an outdated encryption standard that NIST recommends not using due to its many known weaknesses. A key factor contributing to missed opportunities to address third-party cybersecurity is IRS’s lack of centralized leadership. Consequently, IRS is less able to ensure that third-party providers adequately protect taxpayers’ information, which may result in identity theft refund fraud. Example of Successful Identity Theft Refund Fraud Attempt IRS monitors compliance with its electronic tax return filing program requirements for those paid preparers who electronically file returns; however, IRS’s monitoring has a limited focus on cybersecurity issues. For example, the monitoring techniques largely focus on physical security (e.g., locked filing cabinets) rather than verifying that preparers have an information security policy consistent with NIST-recommended controls. Without effective monitoring of cybersecurity controls, IRS has limited assurance that those paid preparers’ systems have adequate controls in place to protect clients’ data. IRS recently began collecting information on high-risk security incidents, such as hackers infiltrating third-party provider systems. Reported incidents increased from 2017 to 2018, the only years for which IRS has data. However, IRS does not have a full picture of the scope of incidents because of inconsistent reporting requirements, including no reporting requirements for paid preparers. Reported High-Risk Security Incidents at Paid Preparers and Tax Software Providers, 2017 and 2018   2017 2018 Number of security incidents 212 336 Number of taxpayer accounts affected 180,557 211,162 GAO analysis of Internal Revenue Service data. | GAO-19-340 Why GAO Did This Study Third-party providers, such as paid tax return preparers and tax preparation software providers, greatly impact IRS’s administration of the tax system. If these third parties do not properly secure taxpayers’ personal and financial information, taxpayers will be vulnerable to identity theft refund fraud and their sensitive personal information will be at risk of unauthorized disclosure. IRS estimates that it paid out at least $110 million in identity theft tax refund fraud during 2017, and at least $1.6 billion in identity theft tax refund fraud during 2016. GAO was asked to review IRS’s efforts to track, monitor, and deter theft of taxpayer information from third parties. Among other things, this report assesses what is known about the taxpayer information security requirements for the systems used by third-party providers, IRS’s processes for monitoring compliance with these requirements, and IRS’s requirements for third-party security incident reporting. GAO analyzed IRS’s information security requirements, standards, and guidance for third-party providers and compared them to relevant laws, regulations, and leading practices, such as NIST guidance and Standards for Internal Control in the Federal Government. GAO reviewed IRS’s monitoring procedures and its requirements and processes for third-party reporting of security incidents, and compared them to Internal Control Standards and GAO’s A Framework for Managing Fraud Risk in Federal Programs. GAO also interviewed IRS and tax industry group officials. What GAO Recommends GAO suggests that Congress consider providing IRS with explicit authority to establish security requirements for paid preparers’ and Authorized e-file Providers’ systems. GAO is also making eight recommendations, including that the Commissioner of Internal Revenue Develop a governance structure or other form of centralized leadership to coordinate all aspects of IRS’s efforts to protect taxpayer information while at third-party providers. Require all tax software providers to adhere to prescribed information security controls. Regularly review and update security standards for tax software providers. Update IRS’s monitoring programs to include basic cybersecurity issues. Standardize incident reporting requirements for all types of third-party providers. IRS agreed with three recommendations, including the above recommendations to regularly review and update security standards for tax software providers, and standardize incident reporting requirements. IRS disagreed with five recommendations—including the other three listed above—generally citing the lack of clear and explicit authority it would need to establish security requirements for the information systems of paid preparers and Authorized e-file Providers. GAO believes that IRS can implement these recommendations without additional statutory authority. For more information, contact Jessica Lucas-Judy at 202-512-9110 or lucasjudyj@gao.gov. Thu, 09 May 2019 00:00:00 -0400 https://www.gao.gov/products/GAO-19-164 What GAO Found Of six important leading practices for effective business process reengineering and information technology (IT) requirements management, the Federal Emergency Management Agency (FEMA) fully implemented four and partially implemented two for the Grants Management Modernization (GMM) program (see table). Specifically, FEMA ensured senior leadership commitment, took steps to assess its business environment and performance goals, took recent actions to track progress in delivering IT requirements, and incorporated input from end user stakeholders. However, FEMA has not yet fully established plans for implementing new business processes or established complete traceability of IT requirements. Extent to Which the Federal Emergency Management Agency Implemented Selected Leading Practices for Business Process Reengineering and Information Technology (IT) Requirements Management for the Grants Management Modernization Program Leading practice Overall area rating Ensure executive leadership support for process reengineering ● Assess the current and target business environment and business performance goals ● Establish plans for implementing new business processes ◑ Establish clear, prioritized, and traceable IT requirements ◑ Track progress in delivering IT requirements ● Incorporate input from end user stakeholders ● Legend: ●=Fully implemented, ◑=Partially implemented, ○=Not implemented. Source: GAO analysis of Federal Emergency Management Agency documentation. | GAO-19-164 Until FEMA fully implements the remaining two practices, it risks delivering an IT solution that does not fully modernize FEMA's grants management systems. While GMM's initial May 2017 cost estimate of about $251 million was generally consistent with leading practices for a reliable, high-quality estimate, it no longer reflects current assumptions about the program. FEMA officials stated in December 2018 that they had completed a revised cost estimate, but it was undergoing departmental approval. GMM's program schedule was inconsistent with leading practices; of particular concern was that the program's final delivery date of September 2020 was not informed by a realistic assessment of GMM development activities, and rather was determined by imposing an unsubstantiated delivery date. Developing sound cost and schedule estimates is necessary to ensure that FEMA has a clear understanding of program risks. Of five key cybersecurity practices, FEMA fully addressed three and partially addressed two for GMM. Specifically, it categorized GMM's system based on security risk, selected and implemented security controls, and monitored security controls on an ongoing basis. However, the program had not initially established corrective action plans for 13 medium- and low-risk vulnerabilities. This conflicts with the Department of Homeland Security's (DHS) guidance that specifies that corrective action plans must be developed for every weakness identified. Until FEMA, among other things, ensures that the program consistently follows the department's guidance on preparing corrective action plans for all security vulnerabilities, GMM's system will remain at increased risk of exploits. Why GAO Did This Study FEMA, a component of DHS, annually awards billions of dollars in grants to help communities prepare for, mitigate the effects of, and recover from major disasters. However, FEMA's complex IT environment supporting grants management consists of many disparate systems. In 2008, the agency attempted to modernize these systems but experienced significant challenges. In 2015, FEMA initiated a new endeavor (the GMM program) aimed at streamlining and modernizing the grants management IT environment. GAO was asked to review the GMM program. GAO's objectives were to (1) determine the extent to which FEMA is implementing leading practices for reengineering its grants management processes and incorporating needs into IT requirements; (2) assess the reliability of the program's estimated costs and schedule; and (3) determine the extent to which FEMA is addressing key cybersecurity practices. GAO compared program documentation to leading practices for process reengineering and requirements management, cost and schedule estimation, and cybersecurity risk management, as established by the Software Engineering Institute, National Institute of Standards and Technology, and GAO. What GAO Recommends GAO is making eight recommendations to FEMA to implement leading practices related to reengineering processes, managing requirements, scheduling, and implementing cybersecurity. DHS concurred with all recommendations and provided estimated dates for implementing each of them. For more information, contact Carol C. Harris at (202) 512-4456 or harriscc@gao.gov. Tue, 09 Apr 2019 00:00:00 -0400 https://www.gao.gov/products/GAO-19-230 What GAO Found No one solution can address the range of potential risks from a data breach, according to interviews with academic, consumer, government, and industry experts and documentation GAO reviewed. Perpetrators of fraud can use stolen personal information—such as account numbers, passwords, or Social Security numbers—to take out loans or seek medical care under someone else's name, or make unauthorized purchases on credit cards, among other crimes. Foreign state-based actors can use personal information to support espionage or other nefarious uses. Public and private entities that experience a breach sometimes provide complimentary commercial identity theft services to affected individuals to help monitor their credit accounts or restore their identities in cases of identity theft, among other features. Consumers also may purchase the services. As of November 30, 2018, the Office of Personnel Management (OPM) had obligated about $421 million for a suite of credit and identity monitoring, insurance, and identity restoration services to offer to the approximately 22 million individuals affected by its 2015 data breaches. As of September 30, 2018, about 3 million had used the services and approximately 61 individuals had received payouts from insurance claims, for an average of $1,800 per claim. OPM re-competed and awarded a contract to the previously contracted company in December 2018. GAO's review did not identify any studies that analyzed whether consumers who sign up for or purchase identity theft services were less subject to identity theft or detected financial or other fraud more or less quickly than those who monitored their own accounts for free. A few experts said consumers could sign up for such services if offered for free. Credit monitoring may be convenient for consumers and personalized restoration services may help identity theft victims recover their identities, but such services do not prevent fraud from happening in the first place. The services also do not prevent or directly address risks of nonfinancial harm such as medical identity theft. Consumer, government, and industry experts highlighted other free options, including a credit freeze, which prevents one type of fraud. A freeze restricts businesses from accessing a person's credit report—and can prevent the illicit opening of a new account or loan in the person's name. A provision of federal law that took effect in September 2018 made it free for consumers to place or lift credit freezes quickly at the three nationwide consumer reporting agencies (Equifax, Experian, and TransUnion). Consumers also can regularly monitor their accounts and review their credit reports for free every 12 months. In addition, they can take advantage of free federal assistance such as the guidance on the Federal Trade Commission's IdentityTheft.gov website. Finally, large amounts of personal information are outside of consumers' control and bad actors can use stolen information for years after a breach. Therefore, experts noted that data security at entities that hold such information—and efforts to make stolen information less useful for identity thieves, through use of new identity verification technologies, for example—are important ways to mitigate risks of harm for consumers. Why GAO Did This Study Recent large-scale data breaches of public and private entities have put hundreds of millions of people at risk of identity theft or other harm. GAO was asked to review issues related to consumers' options to address risks of harm from data breaches. This report, among other things, examines information and expert views on the effectiveness of consumer options to address data breach risks. GAO analyzed available data on options, collected and analyzed related documentation, conducted a literature review of studies, and interviewed a nongeneralizable sample of 35 experts (from academia, government entities, consumer and industry organizations) and identity theft service providers to reflect a range of views. What GAO Recommends GAO reiterates a matter for congressional consideration and a recommendation from its 2017 report on identity theft services (GAO-17-254). In that report, GAO found that legislation requiring federal agencies that experience data breaches, including OPM, to offer certain levels of identity theft insurance coverage to affected individuals requires coverage levels that are likely unnecessary. Therefore, Congress should consider permitting agencies to determine the appropriate coverage level for such insurance. GAO also recommended the Office of Management and Budget (OMB) update its guidance for agency responses to data breaches, after analyzing the effectiveness of identity theft services relative to lower-cost alternatives. OMB did not agree or disagree and had not taken action as of early March 2019. For more information, contact Anna Maria Ortiz at (202) 512-8678 or ortiza@gao.gov. Wed, 27 Mar 2019 00:00:00 -0400 https://www.gao.gov/products/GAO-19-144 What GAO Found The 24 reviewed federal agencies generally assigned work roles to filled and vacant positions that performed information technology (IT), cybersecurity, or cyber-related functions as required by the Federal Cybersecurity Workforce Assessment Act of 2015 (the act). However, six of the 24 agencies reported that they had not completed assigning the associated work role codes to their vacant positions, although they were required to do so by April 2018. In addition, most agencies had likely miscategorized the work roles of many positions. Specifically, 22 of the 24 agencies assigned a “non-IT” work role code to 15,779 (about 19 percent) of their IT positions within the 2210 occupational series. Further, the six agencies that GAO selected for additional review had assigned work role codes that were not consistent with the work roles and duties described in corresponding position descriptions for 63 of 120 positions within the 2210 occupational series that GAO examined (see figure). Consistency of Assigned Work Role Codes with Position Descriptions for Random Sample of IT Positions Within the 2210 Occupational Series at Six Selected Agencies Human resource and IT officials from the 24 agencies generally reported that they had not completely or accurately categorized work roles for IT positions within the 2210 occupational series, in part, because they may have assigned the associated codes in error or had not completed validating the accuracy of the assigned codes. By assigning work roles that are inconsistent with the IT, cybersecurity, and cyber-related positions, the agencies are diminishing the reliability of the information they need to improve workforce planning. The act also required agencies to identify work roles of critical need by April 2019. To aid agencies with identifying their critical needs, the Office of Personnel Management (OPM) developed guidance and required agencies to provide a preliminary report by August 2018. The 24 agencies have begun to identify critical needs and submitted a preliminary report to OPM that identified information systems security manager, IT project manager, and systems security analyst as the top three work roles of critical need. Nevertheless, until agencies accurately categorize their positions, their ability to effectively identify critical staffing needs will be impaired. Why GAO Did This Study A key component of mitigating and responding to cyber threats is having a qualified, well-trained cybersecurity workforce. The act requires OPM and federal agencies to take several actions related to cybersecurity workforce planning. These actions include categorizing all IT, cybersecurity, and cyber-related positions using OPM personnel codes for specific work roles, and identifying critical staffing needs. The act contains a provision for GAO to analyze and monitor agencies' workforce planning. GAO's objectives were to (1) determine the extent to which federal agencies have assigned work roles for positions performing IT, cybersecurity, or cyber-related functions and (2) describe the steps federal agencies took to identify work roles of critical need. GAO administered a questionnaire to 24 agencies, analyzed coding data from personnel systems, and examined preliminary reports on critical needs. GAO selected six of the 24 agencies based on cybersecurity spending levels to determine the accuracy of codes assigned to a random sample of IT positions. GAO also interviewed relevant OPM and agency officials. What GAO Recommends GAO is making 28 recommendations to 22 agencies to review and assign the appropriate codes to their IT, cybersecurity, and cyber-related positions. Of the 22 agencies to which GAO made recommendations, 20 agreed with the recommendations, one partially agreed, and one did not agree with one of two recommendations. GAO continues to believe that all of the recommendations are warranted. For more information, contact Gregory C. Wilshusen at (202) 512-6244 or wilshuseng@gao.gov. Tue, 12 Mar 2019 00:00:00 -0400 https://www.gao.gov/products/GAO-19-427T What GAO Found The United States does not have a comprehensive Internet privacy law governing the collection, use, and sale or other disclosure of consumers' personal information. At the federal level, the Federal Trade Commission (FTC) currently has the lead in overseeing Internet privacy, using its statutory authority under the FTC Act to protect consumers from unfair and deceptive trade practices. However, to date FTC has not issued regulations for Internet privacy other than those protecting financial privacy and the Internet privacy of children, which were required by law. For FTC Act violations, FTC may promulgate regulations but is required to use procedures that differ from traditional notice-and-comment processes and that FTC staff said add time and complexity. In the last decade, FTC has filed 101 enforcement actions regarding Internet privacy; nearly all actions resulted in settlement agreements requiring action by the companies. In most of these cases, FTC did not levy civil penalties because it lacked such authority for those particular violations. The Federal Communications Commission (FCC) has had a limited role in overseeing Internet privacy. From 2015 to 2017, FCC asserted jurisdiction over the privacy practices of Internet service providers. In 2016, FCC promulgated privacy rules for Internet service providers that Congress later repealed. FTC resumed privacy oversight of Internet service providers in June 2018. Stakeholders GAO interviewed had varied views on the current Internet privacy enforcement approach and how it could be enhanced. Most Internet industry stakeholders said they favored FTC's current approach—direct enforcement of its unfair and deceptive practices statutory authority, rather than promulgating and enforcing regulations implementing that authority. These stakeholders said that the current approach allows for flexibility and that regulations could hinder innovation. Other stakeholders, including consumer advocates and most former FTC and FCC commissioners GAO interviewed, favored having FTC issue and enforce regulations. Some stakeholders said a new data-protection agency was needed to oversee consumer privacy. Stakeholders identified three main areas in which Internet privacy oversight could be enhanced: Statute. Some stakeholders told GAO that an overarching Internet privacy statute could enhance consumer protection by clearly articulating to consumers, industry, and agencies what behaviors are prohibited. Rulemaking. Some stakeholders said that regulations can provide clarity, enforcement fairness, and flexibility. Officials from two other consumer protection agencies said their rulemaking authority assists in their oversight efforts and works together with enforcement actions. Civil penalty authority. Some stakeholders said FTC's Internet privacy enforcement could be more effective with authority to levy civil penalties for first-time violations of the FTC Act. Comprehensive Internet privacy legislation that establishes specific standards and includes traditional notice-and-comment rulemaking and broader civil penalty authority could enhance the federal government's ability to protect consumer privacy. Why GAO Did This Study This testimony summarizes the information contained in GAO's January 2019 report, entitled Internet Privacy: Additional Federal Authority Could Enhance Consumer Protection and Provide Flexibility (GAO-19-52). For more information, contact Alicia Puente Cackley at (202) 512-8678 or cackleya@gao.gov or Mark Goldstein at (202) 512-2834 or goldsteinm@gao.gov.   Thu, 07 Mar 2019 00:00:00 -0500 https://www.gao.gov/products/GAO-19-70 What GAO Found As GAO reported in June 2018, the Centers for Disease Control and Prevention (CDC) implemented technical controls and an information security program that were intended to safeguard the confidentiality, integrity, and availability of its information systems and information. However, GAO identified control and program deficiencies in the core security functions related to identifying risk, protecting systems from threats and vulnerabilities, detecting and responding to cyber security events, and recovering system operations (see table below). GAO made 195 recommendations to address these deficiencies. Number of GAO-Identified Technical Control and Information Security Program Deficiencies at the Centers for Disease Control and Prevention and Associated Recommendations by Core Security Function   Core security function Number of technical control deficiencies Number of technical control recommendations Number of information security program deficiencies Number of information security program recommendations Identify 0 0 5 5 Protect 85 161 1 1 Detect 8 18 3 3 Respond 1 5 1 1 Recover 0 0 1 1 Total 94 184 11 11 Source: GAO. | GAO-19-70 As of August 2018, CDC had made significant progress in resolving many of the security deficiencies by implementing 102 of 184 (about 55 percent) technical control recommendations, and partially implementing 1 of 11 information security program recommendations made in the June 2018 report. The figure shows the status of CDC's efforts to implement the 195 recommendations. Status of GAO Recommendations to the Centers for Disease Control and Prevention Additionally, CDC has created remedial action plans to implement the majority of the remaining open recommendations by September 2019. Until CDC implements these recommendations and resolves the associated deficiencies, its information systems and information will remain at increased risk of misuse, improper disclosure or modification, and destruction. Why GAO Did This Study CDC is responsible for detecting and responding to emerging health threats and controlling dangerous substances. In carrying out its mission, CDC relies on information technology systems to receive, process, and maintain sensitive data. Accordingly, effective information security controls are essential to ensure that the agency's systems and information are protected from misuse and modification. GAO was asked to examine information security at CDC. In June 2018, GAO issued a limited official use only report on the extent to which CDC had effectively implemented technical controls and an information security program to protect the confidentiality, integrity, and availability of its information on selected information systems. This current report is a public version of the June 2018 report. In addition, for this public report, GAO determined the extent to which CDC has taken corrective actions to address the previously identified security program and technical control deficiencies and related recommendations for improvement. For this report, GAO reviewed supporting documents regarding CDC's actions on previously identified recommendations and interviewed personnel at CDC. For more information, contact Gregory C. Wilshusen at (202) 512-6244 or wilshuseng@gao.gov, or Dr. Nabajyoti Barkakati at (202) 512-4499 or barkakatin@gao.gov. Thu, 20 Dec 2018 00:00:00 -0500 https://www.gao.gov/products/GAO-19-146R What GAO Found USDA's Assessment of the National Finance Center Data Center did not comprehensively address the cost-effectiveness, security, and demonstrated history of maintaining continuity of operations functions, as part of its cost-benefit assessment of selected data centers, as directed by the Consolidated Appropriations Act, 2018. Specifically, USDA's assessment did not address three of five elements for evaluating the cost-benefit and cost-effectiveness of the data centers selected for its review. For example, while identifying potential cost savings to the National Finance Center (NFC), the assessment did not determine the net present value of the life-cycle costs of operating the data centers, as recommended by the Office of Management and Budget (OMB). In addition, the assessment's security review included a limited evaluation of physical security for only two of the four data centers, and lacked an analysis of the information security controls for any of the selected data centers. Further, the continuity of operations review did not evaluate each data center's demonstrated ability to maintain continuity of operations functions, as required by the act. The assessment did, however, accurately report the Federal Risk and Authorization Management Program (FedRAMP) certification status of the four selected data centers. In discussing their approach to developing the assessment, General Services Administration (GSA) officials stated that they did not follow any policies or guidance for the development of this assessment. They also stated that their review of physical security was limited due to time limitations established by the mandate. Further, the officials stated that they did not evaluate the information security capabilities of the data centers because information on the information security posture for each data center was already available as part of the agencies' required reporting on Federal Information Security Modernization Act of 2014 (FISMA) metrics. As a result of the limited information provided, the assessment does not effectively inform stakeholders and congressional decision makers. Why GAO Did This Study The Consolidated Appropriations Act, 2018 required the Secretary of Agriculture to conduct and submit to the Committees on Appropriations, a detailed cost-benefit analysis that includes a complete analysis of the department's National Finance Center (NFC) data center and two other data centers of comparable size and complexity. The act required the analysis to also include an assessment of each data center's (1) cost-effectiveness; (2) security; (3) Federal Risk and Authorization Management Program (FedRAMP) certification status; and (4) demonstrated record of maintaining continuity of operations plan (COOP) functions without the disruption of critical operations. The act also included a provision for GAO to conduct a sufficiency review of USDA's assessment. This report identifies the extent to which the assessment addressed the cost-effectiveness, security, and continuity of operations of each data center in accordance with federal guidance and leading practices. To do so, GAO compared the assessment's analysis of each data center's cost-effectiveness, security, and continuity of operations with relevant federal guidelines and leading practices established by the Office of Management and Budget (OMB), GAO, and others. GAO also interviewed GSA officials who conducted the assessment, as well as officials representing the data centers included in the assessment. What GAO Recommends GAO recommends that the Secretary of Agriculture take four actions: The Secretary of Agriculture should amend its analysis of selected data centers to address key elements of a cost-benefit and cost-effectiveness analysis as defined by OMB Circular A-94 and relevant agency guidance. (Recommendation 1) When amending its analysis of the selected data centers, the Secretary of Agriculture should report on the assessment of each facility's protective measures, as outlined by the Interagency Security Committee guidance. (Recommendation 2) When amending its analysis of the selected data centers, the Secretary of Agriculture should report on an analysis of the information security controls for each data center, in order to evaluate the data center's information security capabilities. (Recommendation 3) When amending its analysis of the selected data centers, the Secretary of Agriculture should report on each data center's demonstrated history of restoring continuity of operation functions in the event of a service disruption. (Recommendation 4) USDA, GSA, DOT, and NASA received drafts of this report for comment. USDA generally disagreed with the findings and recommendations in the report. The department stated that conducting another assessment in accordance with OMB guidance would yield the same results as its original assessment. Nevertheless, GAO continues to believe our recommendations are warranted. An official in the Office of the Executive Secretariat at GSA concurred with the draft via email. DOT and NASA provided technical comments, which we incorporated into the report, as appropriate. For more information, contact Gregory C. Wilshusen at (202) 512-6244 or WilshusenG@gao.gov or Oliver Richard at (202) 512-8424 or RichardO@gao.gov. Wed, 19 Dec 2018 00:00:00 -0500 https://www.gao.gov/products/GAO-19-105 What GAO Found The 23 civilian agencies covered by the Chief Financial Officers Act of 1990 (CFO Act) have often not effectively implemented the federal government's approach and strategy for securing information systems (see figure below). Until agencies more effectively implement the government's approach and strategy, federal systems will remain at risk. To illustrate: As required by Office of Management and Budget (OMB), inspectors general (IGs) evaluated the maturity of their agencies' information security programs using performance measures associated with the five core security functions—identify, protect, detect, respond, and recover. The IGs at 17 of the 23 agencies reported that their agencies' programs were not effectively implemented. IGs also evaluated information security controls as part of the annual audit of their agencies' financial statements, identifying material weaknesses or significant deficiencies in internal controls for financial reporting at 17 of the 23 civilian CFO Act agencies. Chief information officers (CIOs) for 17 of the 23 agencies reported not meeting all elements of the government's cybersecurity cross-agency priority goal. The goal was intended to improve cybersecurity performance through, among other things, maintaining ongoing awareness of information security, vulnerabilities, and threats; and implementing technologies and processes that reduce malware risk. Executive Order 13800 directed OMB, in coordination with the Department of Homeland Security (DHS), to assess and report on the sufficiency and appropriateness of federal agencies' processes for managing cybersecurity risks. Using performance measures for each of the five core security functions, OMB determined that 13 of the 23 agencies were managing overall enterprise risks, while the other 10 agencies were at risk. In assessing agency risk by core security function, OMB identified a few agencies to be at high risk (see figure at the top of next page). Fiscal Year 2017 Indicators of the 23 Selected Civilian Agencies' Effectiveness in Implementing the Federal Approach and Strategy for Securing Information Systems Risk Management Assessment Ratings by Core Security Function for the 23 Civilian Chief Financial Officers Act of 1990 Agencies, Fiscal Year 2017 DHS and OMB facilitated the use of intrusion detection and prevention capabilities to secure federal agency systems, but further efforts remain. For example, in response to prior GAO recommendations, DHS had improved the capabilities of the National Cybersecurity Protection System (NCPS), which is intended to detect and prevent malicious traffic from entering agencies' computer networks. However, the system still had limitations, such as not having the capability to scan encrypted traffic. The department was also in the process of enhancing the capabilities of federal agencies to automate network monitoring for malicious activity through its Continuous Diagnostics and Mitigation (CDM) program. However, the program was running behind schedule and officials at most agencies indicated the need for additional training and guidance. Further, the Federal CIO issued a mandated report assessing agencies' intrusion detection and prevention capabilities, but the report did not address required information, such as the capability of NCPS to detect advanced persistent threats, and a cost/benefit comparison of capabilities to commercial technologies and tools. Selected agencies had not consistently implemented capabilities to detect and prevent intrusions into their computer networks. Specifically, the agencies told GAO that they had not fully implemented required actions for protecting email, cloud services, host-based systems, and network traffic from malicious activity. For example, 21 of 23 agencies had not, as of September 2018, sufficiently enhanced email protection through implementation of DHS' directive on enhanced email security. In addition, less than half of the agencies that use cloud services reported monitoring these services. Further, most of the selected 23 agencies had not fully implemented the tools and services available through the first two phases of DHS's CDM program. Until agencies more thoroughly implement capabilities to detect and prevent intrusions, federal systems and the information they process will be vulnerable to malicious threats. Why GAO Did This Study Federal agencies are dependent on information systems to carry out operations. The risks to these systems are increasing as security threats evolve and become more sophisticated. To reduce the risk of a successful cyberattack, agencies can deploy intrusion detection and prevention capabilities on their networks and systems. GAO first designated federal information security as a government-wide high-risk area in 1997. In 2015, GAO expanded this area to include protecting the privacy of personally identifiable information. Most recently, in September 2018, GAO updated the area to identify 10 critical actions that the federal government and other entities need to take to address major cybersecurity challenges. The federal approach and strategy for securing information systems is grounded in the provisions of the Federal Information Security Modernization Act of 2014 and Executive Order 13800. The act requires agencies to develop, document, and implement an agency-wide program to secure their information systems. The Executive Order, issued in May 2017, directs agencies to use the National Institute of Standards and Technology's cybersecurity framework to manage cybersecurity risks. The Federal Cybersecurity Enhancement Act of 2015 contained a provision for GAO to report on the effectiveness of the government's approach and strategy for securing its systems. GAO determined (1) the reported effectiveness of agencies' implementation of the government's approach and strategy; (2) the extent to which DHS and OMB have taken steps to facilitate the use of intrusion detection and prevention capabilities to secure federal systems; and (3) the extent to which agencies reported implementing capabilities to detect and prevent intrusions. To address these objectives, GAO analyzed OMB reports related to agencies' information security practices including OMB's annual report to Congress for fiscal year 2017. GAO also analyzed and summarized agency-reported security performance metrics and IG-reported information for the 23 civilian CFO Act agencies. In addition, GAO evaluated plans, reports, and other documents related to DHS intrusion detection and prevention programs, and interviewed OMB, DHS, and agency officials. What GAO Recommends GAO is making two recommendations to DHS, to among other things, coordinate with agencies to identify additional needs for training and guidance. GAO is also making seven recommendations to OMB to, among other things, direct the Federal CIO to update the mandated report with required information, such as detecting advanced persistent threats. DHS concurred with GAO's recommendations. OMB did not indicate whether it concurred with the recommendations or not. For more information, contact Gregory C. Wilshusen at (202) 512-6244 or wilshuseng@gao.gov. Tue, 18 Dec 2018 00:00:00 -0500 https://www.gao.gov/products/GAO-19-275T What GAO Found The Office of Management and Budget (OMB) and federal agencies have taken steps to improve the management of information technology (IT) acquisitions and operations and ensure federal cybersecurity through a series of initiatives. As of November 2018, agencies had fully implemented about 59 percent of the 1,242 IT management-related recommendations that GAO has made since fiscal year 2010. Likewise, agencies had implemented about 73 percent of the approximately 3,000 security-related recommendations that GAO has made since 2010. Even with this progress, significant actions remain to be completed. Chief Information Officer (CIO) responsibilities. Laws such as the Federal Information Technology Acquisition Reform Act (FITARA) and related guidance assigned 35 key IT management responsibilities to CIOs to help address longstanding challenges. However, in August 2018, GAO reported that none of the 24 selected agencies had policies that fully addressed the role of their CIO, as called for by laws and guidance. GAO recommended that OMB and each of the 24 agencies take actions to improve the effectiveness of CIOs' implementation of their responsibilities. As of November 2018, none of the 27 recommendations had been implemented. IT contract approval. According to FITARA, covered agencies' CIOs are required to review and approve IT contracts. Nevertheless, in January 2018, GAO reported that most of the CIOs at 22 covered agencies were not adequately involved in reviewing billions of dollars of IT acquisitions. Consequently, GAO made 39 recommendations to improve CIO oversight over these acquisitions. As of November 2018, 27 of the recommendations had not been addressed. Consolidating data centers. OMB launched an initiative in 2010 to reduce data centers. According to agencies, data center consolidation and optimization efforts have resulted in approximately $4.5 billion in cost savings through 2018. Even so, additional work remains. GAO has made 160 recommendations to OMB and agencies to improve the reporting of related cost savings and to achieve optimization targets. However, as of November 2018, 47 of the recommendations had not been fully addressed. Managing software licenses. Effective management of software licenses can help avoid purchasing too many licenses that result in unused software. In May 2014, GAO reported that better management of licenses was needed to achieve savings, and made 135 recommendations to improve such management. As of December 2018, 27 of the recommendations had not been implemented. Improving the security of federal IT systems. While the government has acted to protect federal information systems, agencies need to improve security programs, cyber capabilities, and the protection of personally identifiable information. The approximately 3,000 recommendations that GAO has made to agencies since 2010 were aimed at improving the security of federal systems and information. Specifically, these recommendations identified actions for agencies to take to strengthen their information security programs and technical controls over their computer networks and systems. As of November 2018, 688 of the security-related recommendations had not been implemented. Why GAO Did This Study The federal government planned to invest more than $96 billion in IT in fiscal year 2018. However, IT investments have often failed or contributed little to mission-related outcomes. Further, increasingly sophisticated threats and frequent cyber incidents underscore the need for effective information security. As a result, GAO added two areas to its high-risk list: cybersecurity in 1997 and the management of IT acquisitions and operations in 2015. This statement summarizes federal agencies' progress in improving the management, and ensuring the security, of federal IT. It is primarily based on GAO's reports issued between February 1997 and August 2018 (and an ongoing review) on (1) CIO responsibilities, (2) agency CIOs' involvement in approving IT contracts, (3) data center consolidation efforts, (4) the management of software licenses, and (5) compliance with cybersecurity requirements. What GAO Recommends Since fiscal year 2010, GAO has made 1,242 recommendations to OMB and agencies to address shortcomings in IT acquisitions and operations. Since fiscal year 2010, GAO also has made over 3,000 recommendations to federal agencies to improve the security of federal systems. These recommendations include those to improve the implementation of CIO responsibilities, the oversight of the data center consolidation initiative, software license management efforts, and the strength of security programs and technical controls. Most agencies agreed with the recommendations, and GAO will continue to monitor their implementation. For more information, contact Carol C. Harris at (202) 512-4456 or harriscc@gao.gov. Wed, 12 Dec 2018 00:00:00 -0500 https://www.gao.gov/products/GAO-19-114R What GAO Found Seven designated agencies--the Departments of Homeland Security, Justice, Defense, Commerce, Energy, and the Treasury, and the Office of the Director of National Intelligence--developed government-wide policies, procedures, and guidelines to assist federal and nonfederal entities in their efforts to receive and share cybersecurity information. In particular, these policies, procedures, and guidelines met the eight provisions of the Cybersecurity Information Sharing Act of 2015 (hereafter referred to as the act) on removal of personal information from cyber threat indicators and defensive measures. As defined in the act, cyber threat indicators include threat-related information such as methods of defeating or causing users to unwittingly enable the defeat of security controls and methods of exploiting cybersecurity vulnerabilities. Defensive measures include any actions, devices, procedures, techniques, or other means that detect, prevent, or mitigate a known or suspected cybersecurity threat or vulnerability. More specifically, the government-wide policies, procedures, and guidelines collectively met the act's provisions by: outlining ways in which federal entities are to share classified and unclassified cyber threat indicators and defensive measures in a way that mitigates adverse effects; defining roles and responsibilities of federal and nonfederal entities when sharing information, in areas such as notification of an error or protection against unauthorized access; and providing details on the process for submitting, receiving, handling, and disseminating cyber threat indicators and defensive measures.  As required by the act, these artifacts also addressed eight fair information practice principles, as applicable, that are the widely accepted framework to be used in the evaluation and consideration of systems, processes, or programs that affect individual privacy. Specifically, the government-wide guidelines do so by establishing or considering the fair information practice principles as the primary guiding principles for all federal entity activities related to the receipt, retention, use, and dissemination of cyber threat indicators, as authorized by the act.  Why GAO Did This Study Federal agencies and our nation's critical infrastructures, such as communications and financial services, are dependent on information technology systems and electronic data to carry out operations and to process, maintain, and report essential information. The security of these systems and data is vital to public confidence and national security, prosperity, and well-being. GAO first designated information security as a government-wide high-risk area in 1997. This was expanded to include the protection of critical cyber infrastructure in 2003 and protecting the privacy of personally identifiable information in 2015. In December 2015, the President signed the Cybersecurity Information Sharing Act of 2015 into law to encourage the sharing of cyber threat information between the public and private sectors. The act included a provision for GAO to review actions taken by the federal government to remove personal information from cyber threat indicators when shared among federal and nonfederal entities. GAO determined the extent to which seven federal agencies designated by the act developed government-wide policies, procedures, and guidelines for the removal of personal information from cyber threat indicators, pursuant to the act's provisions and fair information practice principles. To do so, GAO gathered and analyzed the policies, procedures, and guideline developed under the act and compared them to eight requirements in the act related to the removal of personal information. What GAO Recommends  GAO is making no recommendations. For more information, contact Nick Marinos at 202-512-9342 or marinosn@gao.gov.   Thu, 06 Dec 2018 00:00:00 -0500 https://www.gao.gov/products/GAO-19-143R What GAO Found The Office of Personnel Management (OPM) has made progress in implementing GAO's recommendations, but further efforts remain. As of September 20, 2018, OPM had implemented 51 (about 64 percent) of the 80 recommendations, but had not provided any evidence, or provided insufficient evidence, to demonstrate implementation of the remaining recommendations, as shown in table 1. Table 1: OPM’s Implementation of GAO’s Information Security Program and Control Recommendations, as of September 20, 2018  GAO Report Number   Number of Recommendations                 Closed-          implemented Open- insufficient evidence Open- no evidence Total GAO-16-501                  0  1 3 4 GAO-16-687SU 46 2 14 62 GAO-17-459SU 2 1 6 9 GAO-17-614 3 1 1 5 Total 51 5 24 80 Source: GAO analysis of OPM evidence.  I   GAO-19-143R Notes:  Closed-implemented: GAO validated that OPM implemented the recommendation. Open-insufficient evidence: GAO determined that evidence provided by OPM was insufficient to demonstrate that the agency had implemented the recommendation. Open-no evidence: OPM did not provide GAO with any evidence that the agency had implemented the recommendation.   According to officials in OPM's Office of the Chief Information Officer, the agency plans to implement 25 of the remaining 29 open recommendations by the end of calendar year 2018. The agency expects to implement 3 additional recommendations by the end of fiscal year 2019. OPM has created remedial action plans for each of the 28 open recommendations that it plans to implement.  However, OPM does not intend to implement the one remaining recommendation related to deploying a security tool on contractor workstations. The agency asserted that it has compensating controls in place to address the intent of this recommendation, but has not provided GAO with evidence of these controls. Expeditiously implementing all open recommendations is essential to ensuring appropriate controls are in place to protect the agency’s systems and information. Why GAO Did This Study The Office of Personnel Management (OPM) collects and maintains personal data on millions of individuals, including data related to security clearance investigations. In June 2015, OPM reported that an intrusion into its systems had affected the personnel records of about 4.2 million current and former federal employees. Then, in July 2015, the agency reported that a separate but related incident had compromised its systems and the data files related to background investigations for 21.5 million individuals. From February 2015 through August 2017, GAO conducted multiple reviews of OPM's information security and issued four reports based on these reviews. The reports contained 80 recommendations for improving the agency's security posture. The Explanatory Statement that accompanies the Consolidated Appropriations Act, 2018, included a provision for GAO to brief the House and Senate Appropriations Committees on actions taken by OPM in response to GAO's information security recommendations. GAO's objective for this report was to determine the extent to which OPM has implemented the recommendations to improve the agency's information security. What GAO Recommends GAO is not making any new recommendations with this product. For more information, contact Gregory C. Wilshusen at (202) 512-6244 or wilshuseng@gao.gov. Tue, 13 Nov 2018 00:00:00 -0500 https://www.gao.gov/products/GAO-19-128 What GAO Found The Department of Defense (DOD) faces mounting challenges in protecting its weapon systems from increasingly sophisticated cyber threats. This state is due to the computerized nature of weapon systems; DOD's late start in prioritizing weapon systems cybersecurity; and DOD's nascent understanding of how to develop more secure weapon systems. DOD weapon systems are more software dependent and more networked than ever before (see figure). Embedded Software and Information Technology Systems Are Pervasive in Weapon Systems (Represented via Fictitious Weapon System for Classification Reasons) Automation and connectivity are fundamental enablers of DOD's modern military capabilities. However, they make weapon systems more vulnerable to cyber attacks. Although GAO and others have warned of cyber risks for decades, until recently, DOD did not prioritize weapon systems cybersecurity. Finally, DOD is still determining how best to address weapon systems cybersecurity. In operational testing, DOD routinely found mission-critical cyber vulnerabilities in systems that were under development, yet program officials GAO met with believed their systems were secure and discounted some test results as unrealistic. Using relatively simple tools and techniques, testers were able to take control of systems and largely operate undetected, due in part to basic issues such as poor password management and unencrypted communications. In addition, vulnerabilities that DOD is aware of likely represent a fraction of total vulnerabilities due to testing limitations. For example, not all programs have been tested and tests do not reflect the full range of threats. DOD has recently taken several steps to improve weapon systems cybersecurity, including issuing and revising policies and guidance to better incorporate cybersecurity considerations. DOD, as directed by Congress, has also begun initiatives to better understand and address cyber vulnerabilities. However, DOD faces barriers that could limit the effectiveness of these steps, such as cybersecurity workforce challenges and difficulties sharing information and lessons about vulnerabilities. To address these challenges and improve the state of weapon systems cybersecurity, it is essential that DOD sustain its momentum in developing and implementing key initiatives. GAO plans to continue evaluating key aspects of DOD's weapon systems cybersecurity efforts. Why GAO Did This Study DOD plans to spend about $1.66 trillion to develop its current portfolio of major weapon systems. Potential adversaries have developed advanced cyber-espionage and cyber-attack capabilities that target DOD systems. Cybersecurity—the process of protecting information and information systems—can reduce the likelihood that attackers are able to access our systems and limit the damage if they do. GAO was asked to review the state of DOD weapon systems cybersecurity. This report addresses (1) factors that contribute to the current state of DOD weapon systems' cybersecurity, (2) vulnerabilities in weapons that are under development, and (3) steps DOD is taking to develop more cyber resilient weapon systems. To do this work, GAO analyzed weapon systems cybersecurity test reports, policies, and guidance. GAO interviewed officials from key defense organizations with weapon systems cybersecurity responsibilities as well as program officials from a non-generalizable sample of nine major defense acquisition program offices. What GAO Recommends GAO is not making any recommendations at this time. GAO will continue to evaluate this issue. For more information, contact Cristina Chaplain, 202-512-4841, or chaplainc@gao.gov. Tue, 09 Oct 2018 00:00:00 -0400 https://www.gao.gov/products/GAO-18-518 What GAO Found The Department of Education's Office of Federal Student Aid (FSA) partners with various entities (“non-school partners”) that are involved primarily in supporting the repayment and collection of student loans. Federal loan servicers are responsible for collecting payments on loans and providing customer service to borrowers on behalf of the Department of Education through its Direct Loan program. Private collection agencies collect on loans that are in default and work with borrowers to help them get out of default. Guaranty agencies insure lenders against loss due to borrower default and carry out a variety of loan administration activities. Federal Family Education Loan lenders are non-federal lenders, such as banks, credit unions, or other lending institutions, that made loans to students in the past and continue to service these loans. FSA shares a variety of personally identifiable information (PII) on borrowers with its non-school partners. This includes names, addresses, phone numbers, email addresses, Social Security numbers, and financial information. Key practices for overseeing the protection of PII shared with non-federal entities include requiring (1) risk-based security and privacy controls, (2) independent assessments to ensure controls are effectively implemented, (3) corrective actions to address identified weaknesses in controls, and (4) ongoing monitoring of control status. FSA established oversight policies and procedures for loan servicers and private collection agencies that generally address these key practices. However, FSA exercises minimal oversight of lenders' protection of student data (see table). Extent to Which Federal Student Aid Processes Address Key Practices for Overseeing the Protection of Personally Identifiable Information Non-school partner Security and privacy controls Independent assessments Corrective actions Ongoing monitoring Loan servicers ● ● ● ◐ Private collection agencies ● ● ● ◐ Guaranty agencies ◐ ● ● ○ Federal Family Education Loan Lenders ◐ ○ ○ ○ Key: ● = FSA provided evidence of processes and procedures that addressed all aspects of the key practice; ◑ = FSA provided evidence of processes and procedures that addressed some but not all aspects of the key practice; ○ = FSA did not provide evidence of processes and procedures that addressed the key practice Source: GAO analysis of Federal Student Aid data. | GAO-18-518 FSA officials maintain that the lenders are subject to other legal and regulatory requirements for protecting customer data. However, FSA does not have a process for ensuring lenders are complying with these requirements, and thus lacks assurance that appropriate risk-based safeguards are being effectively implemented, tested, and monitored. Why GAO Did This Study FSA administers billions of dollars in student financial aid, including loans and grants, to eligible college students. The processing of student aid is complex, and FSA relies on non-school partners to carry out various activities supporting the student aid process, such as loan repayment and collection. GAO was asked to review how FSA ensures the protection of PII by its non-school partners. The objectives of this review were to (1) describe the roles of non-school partners and the types of PII shared with them and (2) assess the extent to which FSA policies and procedures for overseeing the non-school partners' protection of student aid data adhere to federal requirements, guidance, and best practices. To address these objectives, GAO collected and reviewed FSA documentation, reports, policies, and procedures and compared FSA policies and procedures to four key practices included in federal guidance for overseeing the protection of PII by non-federal entities. GAO also interviewed FSA officials with responsibility for the oversight of non-school partners. What GAO Recommends GAO is making six recommendations to FSA to ensure that its oversight of non-school partners addresses the four key practices for ensuring the protection of PII. FSA concurred with three of the recommendations, partially concurred with two, and did not concur with one. It also described actions planned or under way to implement four of the recommendations. GAO maintains that all of its recommendations are warranted. For more information, contact Nick Marinos at (202) 512-9342 or marinosn@gao.gov. Mon, 17 Sep 2018 00:00:00 -0400 https://www.gao.gov/products/GAO-18-622 What GAO Found GAO has identified four major cybersecurity challenges and 10 critical actions that the federal government and other entities need to take to address them. GAO continues to designate information security as a government-wide high-risk area due to increasing cyber-based threats and the persistent nature of security vulnerabilities. Ten Critical Actions Needed to Address Four Major Cybersecurity Challenges GAO has made over 3,000 recommendations to agencies aimed at addressing cybersecurity shortcomings in each of these action areas, including protecting cyber critical infrastructure, managing the cybersecurity workforce, and responding to cybersecurity incidents. Although many recommendations have been addressed, about 1,000 have not yet been implemented. Until these shortcomings are addressed, federal agencies' information and systems will be increasingly susceptible to the multitude of cyber-related threats that exist. Why GAO Did This Study Federal agencies and the nation's critical infrastructures—such as energy, transportation systems, communications, and financial services—are dependent on information technology systems to carry out operations. The security of these systems and the data they use is vital to public confidence and national security, prosperity, and well-being. The risks to these systems are increasing as security threats evolve and become more sophisticated. GAO first designated information security as a government-wide high-risk area in 1997. This was expanded to include protecting cyber critical infrastructure in 2003 and protecting the privacy of personally identifiable information in 2015. This report provides an update to the information security high-risk area. To do so, GAO identified the actions the federal government and other entities need to take to address cybersecurity challenges. GAO primarily reviewed prior work issued since the start of fiscal year 2016 related to privacy, critical federal functions, and cybersecurity incidents, among other areas. GAO also reviewed recent cybersecurity policy and strategy documents, as well as information security industry reports of recent cyberattacks and security breaches. What GAO Recommends GAO has made over 3,000 recommendations to agencies since 2010 aimed at addressing cybersecurity shortcomings. As of August 2018, about 1,000 still needed to be implemented. For more information, contact Nick Marinos at (202) 512-9342 or marinosn@gao.gov or Gregory C. Wilshusen at (202) 512-6244 or wilshuseng@gao.gov. Thu, 06 Sep 2018 00:00:00 -0400 https://www.gao.gov/products/GAO-18-559 What GAO Found In July 2017, Equifax system administrators discovered that attackers had gained unauthorized access via the Internet to the online dispute portal that maintained documents used to resolve consumer disputes (see fig.). The Equifax breach resulted in the attackers accessing personal information of at least 145.5 million individuals. Equifax's investigation of the breach identified four major factors including identification, detection, segmenting of access to databases, and data governance that allowed the attacker to successfully gain access to its network and extract information from databases containing personally identifiable information. Equifax reported that it took steps to mitigate these factors and attempted to identify and notify individuals whose information was accessed. The company's public filings since the breach occurred reiterate that the company took steps to improve security and notify affected individuals. The Internal Revenue Service (IRS), Social Security Administration (SSA), and U.S. Postal Service (USPS)—three of the major federal customer agencies that use Equifax's identity verification services—conducted assessments of the company's security controls, which identified a number of lower-level technical concerns that Equifax was directed to address. The agencies also made adjustments to their contracts with Equifax, such as modifying notification requirements for future data breaches. In the case of IRS, one of its contracts with Equifax was terminated. The Department of Homeland Security offered assistance in responding to the breach; however, Equifax reportedly declined the assistance because it had already retained professional services from an external cybersecurity consultant. In addition, the Bureau of Consumer Financial Protection and the Federal Trade Commission, which have regulatory and enforcement authority over consumer reporting agencies (CRAs) such as Equifax, initiated an investigation into the breach and Equifax's response in September 2017. The investigation is ongoing. How Attackers Exploited Vulnerabilities in the 2017 Breach, Based on Equifax Information Why GAO Did This Study CRAs such as Equifax assemble information about consumers to produce credit reports and may provide other services, such as identity verification to federal agencies and other organizations. Data breaches at Equifax and other large organizations have highlighted the need to better protect sensitive personal information. GAO was asked to report on the major breach that occurred at Equifax in 2017. This report (1) summarizes the events regarding the breach and the steps taken by Equifax to assess, respond to, and recover from the incident and (2) describes actions by federal agencies to respond to the breach. To do so, GAO reviewed documents from Equifax and its cybersecurity consultant related to the breach and visited the Equifax data center in Alpharetta, Georgia, to interview officials and observe physical security measures. GAO also reviewed relevant public statements filed by Equifax. Further, GAO analyzed documents from the IRS, SSA, and USPS, which are Equifax's largest federal customers for identity-proofing services, and interviewed federal officials related to their oversight activities and response to the breach. What GAO Recommends GAO is not making recommendations in this report. GAO plans to issue separate reports on federal oversight of CRAs and consumer rights regarding the protection of personally identifiable information collected by such entities. A number of federal agencies and Equifax provided technical comments which we incorporated as appropriate. For more information, contact Nick Marinos at (202) 512-9342 or MarinosN@gao.gov, or Michael Clements at (202) 512-8678 or ClementsM@gao.gov. Thu, 30 Aug 2018 00:00:00 -0400 https://www.gao.gov/products/GAO-18-391 What GAO Found The Internal Revenue Service (IRS) has made progress in resolving a number of previously reported control deficiencies. During fiscal year 2017, the agency made improvements in access controls by, for example, restricting unnecessary user access to certain applications and enforcing strong encryption on certain systems. IRS also corrected a previously identified contingency planning weakness for one system. Nevertheless, continuing and newly identified control deficiencies limited the effectiveness of security controls for protecting the confidentiality, integrity, and availability of IRS's financial and tax processing systems. For example, IRS did not consistently (1) implement access controls by enforcing password expirations and minimum password lengths or by updating expiration dates for contractor passwords; (2) apply configuration management controls by documenting authorizations and approvals for changes to mainframe data and processing, or by installing critical security patches on multiple devices; and (3) implement certain components of its security program by correcting weaknesses in procedures or by updating system security plans. GAO has made recommendations to IRS to correct the identified security control deficiencies (see table). However, many deficiencies have not been corrected, and a large number of recommendations remained open at the conclusion of the audit of IRS's financial statements for fiscal year 2017. Status of GAO Information Security Control Recommendations to IRS to Correct Control Deficiencies at the Conclusion of Fiscal Year 2017 Information security control area Prior recommendations open at the beginning of FY 2017 Prior recommendations closed at the end of FY 2017 New recommendations resulting from FY 2017 audit Total outstanding recommendations at the end of FY 2017 Access controls 120 (35) 21 106 Configuration management 29 (10) 13 32 Segregation of duties 1 (0) 0 1 Contingency planning 2 (1) 1 2 Security program 14 (3) 2 13 Total 166 (49) 37 154 Legend: FY = fiscal year Source: GAO analysis of Internal Revenue Service (IRS) data. | GAO-18-391 Until IRS takes additional steps to address unresolved and newly identified control deficiencies and effectively implements components of its information security program, IRS financial reporting and taxpayer data will remain unnecessarily vulnerable to inappropriate and undetected use, modification, or disclosure. These shortcomings were the basis for GAO's determination that IRS had a significant deficiency in internal control over financial reporting systems for fiscal year 2017. Why GAO Did This Study The IRS has a demanding responsibility to collect taxes, process tax returns, and enforce the nation's tax laws. It relies extensively on computerized systems to support its financial and mission-related operations and on information security controls to protect the sensitive financial and taxpayer information that reside on those systems. As part of its audit of IRS's fiscal year 2017 and 2016 financial statements, GAO assessed whether controls over financial and tax processing systems were effective in ensuring the confidentiality, integrity, and availability of financial and sensitive taxpayer information. To do this, GAO examined IRS information security policies, plans, and procedures; tested controls over selected financial systems and applications; and interviewed key agency officials at four IRS locations. What GAO Recommends In addition to the prior recommendations that have not been implemented, GAO is recommending that IRS take 5 additional actions to more effectively implement security-related policies and plans. In a separate report with limited distribution, GAO is recommending 32 actions that IRS can take to address newly identified control deficiencies. In commenting on a draft of this report, IRS agreed with GAO's recommendations and stated that it would review each of the recommendations and ensure that its corrective actions include a root cause analysis for sustainable fixes that implement appropriate security controls. For more information, contact Nancy R. Kingsbury at (202) 512-2700 or kingsburyn@gao.gov or Gregory C. Wilshusen at (202) 512-6244 or wilshuseng@gao.gov.  Tue, 31 Jul 2018 00:00:00 -0400 https://www.gao.gov/products/GAO-18-645T What GAO Found GAO has identified four major cybersecurity challenges and 10 critical actions that the federal government and other entities need to take to address them. GAO continues to designate information security as a government-wide high-risk area due to increasing cyber-based threats and the persistent nature of security vulnerabilities. Ten Critical Actions Needed to Address Four Major Cybersecurity Challenges GAO has made over 3,000 recommendations to agencies aimed at addressing cybersecurity shortcomings in each of these action areas, including protecting cyber critical infrastructure, managing the cybersecurity workforce, and responding to cybersecurity incidents. Although many recommendations have been addressed, about 1,000 have not yet been implemented. Until these shortcomings are addressed, federal agencies' information and systems will be increasingly susceptible to the multitude of cyber-related threats that exist. Why GAO Did This Study Federal agencies and the nation's critical infrastructures—such as energy, transportation systems, communications, and financial services—are dependent on information technology systems to carry out operations. The security of these systems and the data they use is vital to public confidence and national security, prosperity, and well-being. The risks to these systems are increasing as security threats evolve and become more sophisticated. GAO first designated information security as a government-wide high-risk area in 1997. This was expanded to include protecting cyber critical infrastructure in 2003 and protecting the privacy of personally identifiable information in 2015. GAO was asked to update its information security high-risk area. To do so, GAO identified the actions the federal government and other entities need to take to address cybersecurity challenges. GAO primarily reviewed prior work issued since the start of fiscal year 2016 related to privacy, critical federal functions, and cybersecurity incidents, among other areas. GAO also reviewed recent cybersecurity policy and strategy documents, as well as information security industry reports of recent cyberattacks and security breaches. What GAO Recommends GAO has made over 3,000 recommendations to agencies since 2010 aimed at addressing cybersecurity shortcomings. As of July 2018, about 1,000 still needed to be implemented. For more information, contact Nick Marinos at (202) 512-9342 or MarinosN@gao.gov or Gregory C. Wilshusen at (202) 512-6244 or wilshuseng@gao.gov. Wed, 25 Jul 2018 00:00:00 -0400 https://www.gao.gov/products/GAO-18-667T What GAO Found Reliance on a global supply chain introduces multiple risks to federal information systems. Supply chain threats are present during the various phases of an information system's development life cycle and could create an unacceptable risk to federal agencies. Information technology (IT) supply chain-related threats are varied and can include: installation of intentionally harmful hardware or software (i.e., containing “malicious logic”); installation of counterfeit hardware or software; failure or disruption in the production or distribution of critical products; reliance on malicious or unqualified service providers for the performance of technical services; and installation of hardware or software containing unintentional vulnerabilities, such as defective code. These threats can have a range of impacts, including allowing adversaries to take control of systems or decreasing the availability of materials needed to develop systems. These threats can be introduced by exploiting vulnerabilities that could exist at multiple points in the supply chain. Examples of such vulnerabilities include the acquisition of products or parts from unauthorized distributors; inadequate testing of software updates and patches; and incomplete information on IT suppliers. Malicious actors could exploit these vulnerabilities, leading to the loss of the confidentiality, integrity, or availability of federal systems and the information they contain. GAO reported in 2012 that the four national security-related agencies in its review—the Departments of Defense, Justice, Energy, Homeland Security (DHS)—varied in the extent to which they had addressed supply chain risks. Of the four agencies, Defense had made the most progress addressing the risks. It had defined and implemented supply chain protection controls, and initiated efforts to monitor the effectiveness of the controls. Conversely, Energy and DHS had not developed or documented policies and procedures that defined security measures for protecting against IT supply chain threats and had not developed capabilities for monitoring the implementation and effectiveness of the measures. Although Justice had defined supply chain protection measures, it also had not developed or documented procedures for implementing or monitoring the measures. Energy and Justice fully implemented the recommendations that GAO made in its 2012 report and resolved the deficiencies that GAO had identified with their supply chain risk management efforts by 2016. DHS also fully implemented two recommendations to document policies and procedures for defining and implementing security measures to protect against supply chain threats by 2015, but could not demonstrate that it had fully implemented the recommendation to develop and implement a monitoring capability to assess the effectiveness of the security measures. Why GAO Did This Study IT systems are essential to the operations of the federal government. The supply chain—the set of organizations, people, activities, and resources that create and move a product from suppliers to end users—for IT systems is complex and global in scope. The exploitation of vulnerabilities in the IT supply chain is a continuing threat. Federal security guidelines provide for managing the risks to the supply chain. This testimony statement highlights information security risks associated with the supply chains used by federal agencies to procure IT systems. The statement also summarizes GAO's 2012 report that assessed the extent to which four national security-related agencies had addressed such risks. To develop this statement, GAO relied on its previous reports, as well as information provided by the national security-related agencies on their actions in response to GAO's previous recommendations. GAO also reviewed federal information security guidelines and directives. What GAO Recommends In its 2012 report, GAO recommended that Justice, Energy, and DHS take eight actions, as needed, to develop and document policies, procedures, and monitoring capabilities that address IT supply chain risk. The departments generally concurred with the recommendations and subsequently implemented seven recommendations and partially implemented the eighth recommendation. For more information, contact Gregory C. Wilshusen at (202) 512-6244 or wilshuseng@gao.gov. Thu, 12 Jul 2018 00:00:00 -0400 https://www.gao.gov/products/GAO-18-466 What GAO Found As required by the Federal Cybersecurity Workforce Assessment Act of 2015 (act), the Office of Personnel Management (OPM) developed a cybersecurity coding structure under the National Initiative for Cybersecurity Education (NICE) as well as procedures for assigning codes to federal civilian cybersecurity positions. However, OPM issued the coding structure and procedures 5 and 4 months later than the act's deadlines because OPM was working with the National Institute of Standards and Technology (NIST) to align the structure and procedures with the draft NICE Cybersecurity Workforce Framework , which NIST issued later than planned. OPM also submitted a progress report to Congress on the implementation of the act 1 month after it was due. The delays in issuing the coding structure and procedures have extended the expected time frames for implementing subsequent provisions of the act. Most of the 24 agencies covered by the Chief Financial Officers (CFO) Act submitted baseline assessment reports to Congress but the results may not be reliable. As of March 2018, 21 of the 24 CFO Act agencies had conducted baseline assessments identifying the extent to which their cybersecurity employees held professional certifications and had submitted the assessment reports to Congress as required by the act. Three agencies had not conducted the assessments for various reasons, such as a lack of resources and tools to do so. Of the 21 agencies that did, 4 did not address all of the reportable information, such as the extent to which personnel without professional certifications were ready to obtain them or strategies for mitigating any gaps. Additionally, agencies were limited in their ability to obtain complete or consistent information about their cybersecurity employees and the certifications they held. This was because agencies had not yet fully identified all members of their cybersecurity workforces or did not have a consistent list of appropriate certifications for cybersecurity positions. As a result, the agencies had limited assurance that their assessment results accurately reflected all relevant employees or the extent to which those employees held appropriate certifications. This diminishes the usefulness of the assessments in determining the certification and training needs of these agencies' cybersecurity employees. Most of the 24 CFO Act agencies established coding procedures, but 6 agencies only partially addressed certain activities required by OPM in their procedures. Of the 24 agencies reviewed, 23 had established procedures to identify their civilian cybersecurity positions and assign the appropriate employment codes to the positions as called for by the act. However, 6 of the 23 agencies did not address one or more of 7 activities required by OPM in their procedures, such as the activities to review all filled and vacant positions and annotate reviewed position descriptions with the appropriate employment code. These 6 agencies cited a variety of reasons for not addressing all of the required activities in their coding procedures. For example, these agencies stated that they addressed the activities in existing guidance or did not include activities that their components did not have the responsibility to perform. By not addressing all of the required activities in their coding procedures, the 6 agencies lack assurance that the activities will be performed or performed consistently throughout their agency. Why GAO Did This Study A key component of mitigating and responding to cyber threats is having a qualified, well-trained cybersecurity workforce. The Federal Cybersecurity Workforce Assessment Act of 2015 requires OPM and federal agencies to take several actions related to cybersecurity workforce planning. GAO is to monitor agencies' progress in implementing the act's requirements. For this report, GAO assessed whether: (1) OPM developed a coding structure and procedures for assigning codes to cybersecurity positions and submitted a progress report to Congress; (2) CFO Act agencies submitted complete, reliable baseline assessments of their cybersecurity workforces; and (3) CFO Act agencies established procedures to assign codes to cybersecurity positions. GAO examined OPM's coding procedures and progress report on the act's implementation, and baseline assessments and coding procedures from the 24 CFO Act agencies. GAO also interviewed relevant OPM and agency officials about efforts to address the act's requirements. What GAO Recommends GAO is making 30 recommendations to 13 agencies to fully implement two of the act's requirements on baseline assessments and coding procedures. Of the 12 agencies to which we made recommendations that provided comments on the report, 7 agreed with the recommendations made to them, 4 did not state whether they agreed or disagreed, and 1 did not agree with one of two recommendations made to it. GAO continues to believe that the recommendation is valid as discussed in this report. For more information, contact Gregory C. Wilshusen at (202) 512-6244 or wilshuseng@gao.gov. Thu, 14 Jun 2018 00:00:00 -0400 https://www.gao.gov/products/GAO-18-337 What GAO Found The National Aeronautics and Space Administration (NASA) has not yet effectively implemented leading practices for information technology (IT) management. Specifically, GAO identified weaknesses in NASA's IT management practices for strategic planning, workforce planning, governance, and cybersecurity. NASA has not documented its IT strategic planning processes in accordance with leading practices. While NASA's updated IT strategic plan represents improvement over its prior plan, the updated plan is not comprehensive because it does not fully describe strategies for achieving desired results or describe interdependencies within and across programs. Until NASA establishes a comprehensive IT strategic plan, it will lack critical information needed to align resources with business strategies and investment decisions. Of the eight key IT workforce planning activities, the agency partially implemented five and did not implement three. For example, NASA does not assess competency and staffing needs regularly or report progress to agency leadership. Until NASA implements the key IT workforce planning activities, it will have difficulty anticipating and responding to changing staffing needs. NASA's IT governance does not fully address leading practices. While the agency revised its governance boards, updated their charters, and acted to improve governance, it has not fully established the governance structure, documented improvements to its investment selection process, fully implemented investment oversight practices and ensured the Chief Information Officer's visibility into all IT investments, or fully defined policies and procedures for IT portfolio management. Until NASA addresses these weaknesses, it will face increased risk of investing in duplicative investments or may miss opportunities to ensure investments perform as intended. NASA has not fully established an effective approach to managing agency-wide cybersecurity risk. An effective approach includes establishing executive oversight of risk, a cybersecurity risk management strategy, an information security program plan, and related policies and procedures. NASA Implementation of Cybersecurity Risk Management Practices Practice Status Executive oversight of risk While NASA has designated a risk executive, the agency lacks a dedicated office to provide comprehensive executive oversight of risks. Cybersecurity risk management strategy NASA lacks an agency-wide cybersecurity risk management strategy; one is currently in development. Information security program plan NASA developed a draft agency-wide information security program plan; however, the plan does not yet fully address leading practices. Policies and procedures Policies and procedures for protecting NASA's information systems are in place, but the agency has not kept them current or integrated. Source: GAO analysis of National Aeronautics and Space Administration documentation. | GAO-18-337 As NASA continues to collaborate with other agencies and nations and increasingly relies on agreements with private companies to carry out its missions, the agency's cybersecurity weaknesses make its systems more vulnerable to compromise. Until NASA leadership fully addresses these leading practices, its ability to ensure effective management of IT across the agency and manage cybersecurity risks will remain limited. Why GAO Did This Study NASA depends heavily upon IT to conduct its work. The agency spends at least $1.5 billion annually on IT investments that support its missions, including ground control systems for the International Space Station and space exploration programs. The National Aeronautics and Space Administration Transition Authorization Act of 2017 included a provision for GAO to review the effectiveness of NASA's approach to overseeing and managing IT, including its ability to ensure that resources are aligned with agency missions and are cost effective and secure. Accordingly, GAO's specific objective for this review was to determine the extent to which NASA has established and implemented leading IT management practices in strategic planning, workforce planning, governance, and cybersecurity. To address this objective, GAO compared NASA IT policies, strategic plans, workforce gap assessments, and governance board documentation to federal law and leading practices. GAO also assessed NASA IT security plans, policies, and procedures against leading cybersecurity risk management practices. What GAO Recommends GAO is making 10 recommendations to NASA to address the deficiencies identified in NASA IT strategic planning, workforce planning, governance, and cybersecurity. NASA concurred with seven recommendations, partially concurred with two, and did not concur with one. GAO maintains that all of the recommendations discussed in this report remain valid. For more information, contact Carol C. Harris at (202) 512-4456 or harriscc@gao.gov. Tue, 22 May 2018 00:00:00 -0400 https://www.gao.gov/products/GAO-18-407 What GAO Found The Defense Security Service (DSS) has upgraded its capabilities but also faces challenges in administering the National Industrial Security Program, which applies to all executive branch departments and agencies, and was established to safeguard federal government classified information that current or prospective contractors may access. Since we last reported on this program in 2005, DSS has: streamlined facility clearance and monitoring processes, and strengthened the process for identifying contractors with potential foreign influence. However, under its current approach, DSS officials indicated that they face resource constraints, such as an inability to manage workloads and complete training necessary to stay informed on current threats and technologies. In its most recent report to Congress, DSS stated that it was unable to conduct security reviews at about 60 percent of cleared facilities in fiscal year 2016. Further, DSS recently declared that the United States is facing the most significant foreign intelligence threat it has ever encountered. As a result, in 2017, DSS announced plans to transition to a new monitoring approach to address emerging threats at facilities in the program. For a comparison of the current and new approaches, see below.   Comparison of the Defense Security Service's (DSS) Current and New Approaches for Monitoring Cleared Facilities Current Monitoring Approach New Approach – DSS in Transition Schedules security reviews on a 90-day work plan starting with specific facilities, such as those with mitigation agreements for foreign influence or classified information systems. Will use national intelligence and Department of Defense's list of critical technologies and programs to prioritize security reviews at facilities based on their assets and the threats to those assets. Conducts security reviews that focus on a contractor's adherence with National Industrial Security Program Operating Manual requirements. Will conduct security reviews to develop customized security plans and assess implementation of such plans to ensure contractors protect assets. Source: GAO analysis of DSS documentation and interviews with DSS officials. | GAO-18-407 DSS has not addressed immediate challenges that are critical to piloting this new approach. For example, GAO found it is unclear how DSS will determine what resources it needs as it has not identified roles and responsibilities. Moreover, DSS has not established how it will collaborate with stakeholders—government contracting activities, the government intelligence community, other government agencies, and contractors—under the new approach. Federal Internal Control Standards establish the importance of coordinating with stakeholders, including clearly defining roles and responsibilities. In addition, GAO's leading practices for interagency collaboration state that it is important for organizations to identify the resources necessary to accomplish objectives. Until DSS identifies roles and responsibilities and determines how it will collaborate with stakeholders for the piloting effort, it will be difficult to assess whether the new approach is effective in protecting classified information. Why GAO Did This Study Industrial security addresses the information systems, personnel, and physical security of facilities and their cleared employees who have access to or handle classified information. The National Industrial Security Program was established in 1993 to safeguard federal government classified information that may be or has been released to contractors, among others. GAO last reported on this program in 2005 and the Department of Defense has since implemented 13 of the 16 related recommendations. GAO was asked to examine how DSS administers the program. This report assesses to what extent DSS: 1) changed how it administers the program since GAO's last report; and 2) addressed challenges as it pilots a new approach to monitoring contractors with access to classified information. GAO reviewed guidance and regulations since 2005, including the program's operating manual. GAO analyzed data from DSS's electronic databases and also selected a non-generalizable sample of contractor facilities based on clearance level, geographic location, and type of agreement to address foreign influence. We also reviewed documents and interviewed relevant government and contractor officials. What GAO Recommends GAO recommends DSS determine how it will collaborate with stakeholders, including identifying roles and responsibilities and related resources, as it pilots a new approach. DSS concurred with the recommendation. For more information, contact Marie A. Mak at (202) 512-4841 or MakM@gao.gov. Mon, 14 May 2018 00:00:00 -0400 https://www.gao.gov/products/GAO-18-520T What GAO Found In recent years, the Department of Homeland Security (DHS) has acted to improve and promote the cybersecurity of federal and private-sector computer systems and networks, but further improvements are needed. Specifically, consistent with its statutory authorities, DHS has made important progress in implementing programs and activities that are intended to mitigate cybersecurity risks on the computer systems and networks supporting federal operations and our nation's critical infrastructure. For example, the department has: provided limited intrusion detection and prevention capabilities to entities across the federal government; issued cybersecurity related binding operational directives to federal agencies; served as the federal-civilian interface for sharing cybersecurity related information with federal and nonfederal entities; promoted the use of the National Institute of Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity; and partially assessed its cybersecurity workforce. Nevertheless, the department has not taken sufficient actions to ensure that it successfully mitigates cybersecurity risks on federal and private-sector computer systems and networks. For example, GAO reported in 2016 that DHS's National Cybersecurity Protection System (NCPS) had only partially met its stated system objectives of detecting and preventing intrusions, analyzing malicious content, and sharing information. GAO recommended that DHS enhance capabilities, improve planning, and support greater adoption of NCPS. In addition, although the department's National Cybersecurity and Communications Integration Center generally performed required functions such as collecting and sharing cybersecurity related information with federal and non-federal entities, GAO reported in 2017 that the center needed to evaluate its activities more completely. For example, the extent to which the center had performed its required functions in accordance with statutorily defined implementing principles was unclear, in part, because the center had not established metrics and methods by which to evaluate its performance against the principles. Further, in its role as the lead federal agency for collaborating with eight critical infrastructure sectors including the communications and dams sectors, DHS had not developed metrics to measure and report on the effectiveness of its cyber risk mitigation activities or on the cybersecurity posture of the eight sectors. GAO reported in 2018 that DHS had taken steps to assess its cybersecurity workforce; however, it had not identified all of its cybersecurity positions and critical skill requirements. Until DHS fully and effectively implements its cybersecurity authorities and responsibilities, the department's ability to improve and promote the cybersecurity of federal and private-sector networks will be limited. Why GAO Did This Study The emergence of increasingly sophisticated threats and continuous reporting of cyber incidents underscores the continuing and urgent need for effective information security. GAO first designated information security as a government-wide high- risk area in 1997. GAO expanded the high-risk area to include the protection of cyber critical infrastructure in 2003 and protecting the privacy of personally identifiable information in 2015. Federal law and policy provide DHS with broad authorities to improve and promote cybersecurity. DHS plays a key role in strengthening the cybersecurity posture of the federal government and promoting cybersecurity of systems supporting the nation's critical infrastructures. This statement highlights GAO's work related to federal programs implemented by DHS that are intended to improve federal cybersecurity and cybersecurity over systems supporting critical infrastructure. In preparing this statement, GAO relied on a body of work issued since fiscal year 2016 that highlighted, among other programs, DHS's NCPS, national integration center activities, and cybersecurity workforce assessment efforts. What GAO Recommends Since fiscal year 2016, GAO has made 29 recommendations to DHS to enhance the capabilities of NCPS, establish metrics and methods for evaluating performance, and fully assess its cybersecurity workforce, among other things. As of April 2018, DHS had not demonstrated that it had fully implemented most of the recommendations. For more information, contact Gregory C. Wilshusen at (202) 512-6244 or wilshuseng@gao.gov. Tue, 24 Apr 2018 00:00:00 -0400