Information Security

Recent Reports

Information Technology and Cybersecurity: Significant Attention Is Needed to Address High-Risk Areas

Published: Apr 16, 2021.

Publicly Released: Apr 16, 2021.

Management Report: Improvements Needed in the Bureau of the Fiscal Service's Information System Controls Related to the Schedule of Federal Debt

GAO-21-305R

Published: Mar 30, 2021.

Publicly Released: Mar 30, 2021.

High-Risk Series: Federal Government Needs to Urgently Pursue Critical Actions to Address Major Cybersecurity Challenges

GAO-21-288

Published: Mar 24, 2021.

Publicly Released: Mar 24, 2021.

Electricity Grid Cybersecurity: DOE Needs to Ensure Its Plans Fully Address Risks to Distribution Systems

GAO-21-81

Published: Mar 18, 2021.

Publicly Released: Mar 18, 2021.

Defined Contribution Plans: Federal Guidance Could Help Mitigate Cybersecurity Risks in 401(k) and Other Retirement Plans

GAO-21-25

Published: Feb 11, 2021.

Publicly Released: Mar 15, 2021.

Cybersecurity and Infrastructure Security Agency: Actions Needed to Ensure Organizational Changes Result in More Effective Cybersecurity for Our Nation

GAO-21-236

Published: Mar 10, 2021.

Publicly Released: Mar 10, 2021.

View More Reports

Open Recommendations

Cybersecurity and Infrastructure Security Agency: Actions Needed to Ensure Organizational Changes Result in More Effective Cybersecurity for Our Nation

GAO-21-236

Mar 10, 2021

Show

11 Open Recommendations

Agency Affected	Recommendation	Status
Cybersecurity and Infrastructure Security Agency	The Director of CISA should establish expected completion dates for those phase three tasks that are past their completion dates, with priority given to those tasks critical to mission effectiveness. (Recommendation 1)	Open When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Cybersecurity and Infrastructure Security Agency	The Director of CISA should establish an overall deadline for the completion of the transformation initiative. (Recommendation 2)	Open When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Cybersecurity and Infrastructure Security Agency	The Director of CISA should establish plans, including time frames, for developing outcome-oriented performance measures to gauge the extent to which the agency's efforts are meeting the goals of the organizational transformation. (Recommendation 3)	Open When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Cybersecurity and Infrastructure Security Agency	The Director of CISA should collect input to ensure that organizational changes are aligned with the needs of stakeholders, taking into account coordination challenges identified in this report. (Recommendation 4)	Open When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Cybersecurity and Infrastructure Security Agency	The Director of CISA should establish processes for monitoring the effects of efforts to reduce fragmentation, overlap, and duplication including identifying potential cost savings. (Recommendation 5)	Open When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Cybersecurity and Infrastructure Security Agency	The Director of CISA should establish an approach, including time frames, for measuring outcomes of the organizational transformation, including customer satisfaction with organizational changes. (Recommendation 6)	Open When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Aviation Cybersecurity: FAA Should Fully Implement Key Practices to Strengthen Its Oversight of Avionics Risks

GAO-21-86

Oct 09, 2020

Show

6 Open Recommendations

Agency Affected	Recommendation	Status
Federal Aviation Administration	The FAA Administrator should direct the Associate Administrator for Aviation Safety to conduct a risk assessment of avionics systems cybersecurity to identify the relative priority of avionics cybersecurity risks for its oversight program compared to other safety concerns and develop a plan to address those risks. (Recommendation 1)	Open When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Federal Aviation Administration	The FAA Administrator should direct the Associate Administrator for Aviation Safety, based on the assessment of avionics cybersecurity risks, to identify staffing and training needs for agency inspectors specific to avionics cybersecurity, and develop and implement appropriate training to address identified needs. (Recommendation 2)	Open When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Federal Aviation Administration	The FAA Administrator should direct the Associate Administrator for Aviation Safety, based on the assessment of avionics cybersecurity risks, to develop and implement guidance for avionics cybersecurity testing of new airplane designs that includes independent testing. (Recommendation 3)	Open When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Federal Aviation Administration	The FAA Administrator should direct the Associate Administrator for Aviation Safety, based on the assessment of avionics cybersecurity risks, to review and consider revising its policies and procedures for monitoring the effectiveness of avionics cybersecurity controls in the deployed fleet to include developing procedures for safely conducting independent testing. (Recommendation 4)	Open When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Federal Aviation Administration	The FAA Administrator should direct the Associate Administrator for Aviation Safety to develop a mechanism to ensure that avionics cybersecurity issues are appropriately tracked and resolved when coordinating among internal stakeholders. (Recommendation 5)	Open When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Federal Aviation Administration	The FAA Administrator should direct the Associate Administrator for Aviation Safety, based on the assessment of avionics cybersecurity risks, to review and consider the extent to which oversight resources should be committed to avionics cybersecurity. (Recommendation 6)	Open When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Cybersecurity: Clarity of Leadership Urgently Needed to Fully Implement the National Strategy

GAO-20-629

Sep 22, 2020

Show

2 Open Recommendations

Agency Affected	Recommendation	Status
National Security Council	The Chairman of the National Security Council, or his designee, should work with relevant federal entities to update strategy documents related to the nation's cybersecurity to better reflect desirable characteristics of a national strategy, to include:<br><br> an assessment of cyber-related risk, based on an analysis of the threats to, and vulnerabilities of, critical assets and operations;<br><br> measures of performance and formal mechanism to track progress of the execution of activities; and<br><br> an analysis of the cost and resources needed to implement the National Cyber Strategy. (Recommendation 1)	Open When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Congress	Congress should consider legislation to designate a leadership position in the White House with the commensurate authorityfor example, over budgets and resourcesto implement and encourage action in support of the nation's cyber critical infrastructure, including the implementation of the National Cyber Strategy. (Matter for Consideration 1)	Open When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Information Security and Privacy: HUD Needs a Major Effort to Protect Data Shared with External Entities

GAO-20-431

Sep 21, 2020

Show

5 Open Recommendations

Agency Affected	Recommendation	Status
Department of Housing and Urban Development	The Secretary of Housing and Urban Development should direct the Chief Information Officer, Senior Agency Official for Privacy, and Chief Privacy Officer to review and revise department-level security and privacy policies to ensure that they require the implementation of risk-based security and privacy controls for external entities that process, store, or share sensitive information with HUD. (Recommendation 1)	Open HUD did not agree or disagree with the recommendation. In February 2021, HUD reported specific actions planned to address this recommendation. Specifically, the department plans to update policies and procedures, templates for agreements, and contract language in new or updated contracts regarding requirements for implementation of risk-based security and privacy controls for external entities that process, store, or share sensitive information with HUD. In addition, the department intends to develop additional procedures focused on oversight of external entities' compliance with security and privacy requirements. We will continue to monitor the implementation of this recommendation.
Department of Housing and Urban Development	The Secretary of Housing and Urban Development should direct the Chief Information Officer, Senior Agency Official for Privacy, and Chief Privacy Officer to review and revise department-level security and privacy policies to ensure that they require independent assessments of external entities that process, store, or share sensitive information with HUD to ensure controls are implemented. (Recommendation 2)	Open HUD did not agree or disagree with the recommendation. In February 2021, HUD reported plans to address this recommendation by updating its security and privacy policies and templates for agreements to address requirements for independent assessments of external entities that process, store, or share sensitive information with HUD, including requiring approval of agreements by the Chief Information Office, Chief Information Security Office, and system owners. In addition, the department intends to develop additional procedures for overseeing compliance with these requirements. We will continue to monitor the implementation of this recommendation.
Department of Housing and Urban Development	The Secretary of Housing and Urban Development should direct the Chief Information Officer, Senior Agency Official for Privacy, and Chief Privacy Officer to review and revise department-level security and privacy policies to ensure that they require identifying and tracking corrective action needed by external entities that process, store, or share sensitive information with HUD. (Recommendation 3)	Open HUD did not agree or disagree with the recommendation. In February 2021, HUD reported specific plans for addressing this recommendation. Specifically, the department intends to update its templates for agreements and language in new and revised contracts to address requirements for identifying and tracking corrective action needed by external entities that process, store, or share sensitive information with HUD. In addition, the department plans to update its security procedures with requirements for other government, for-profit or nonprofit organizations to plan and manage corrective actions. We will continue to monitor the implementation of this recommendation.
Department of Housing and Urban Development	The Secretary of Housing and Urban Development should direct the Chief Information Officer, Senior Agency Official for Privacy, and Chief Privacy Officer to review and revise department-level security and privacy policies to ensure that they require monitoring of progress in implementing controls/corrective actions by external entities that process, store, or share sensitive information with HUD. (Recommendation 4)	Open HUD did not agree or disagree with the recommendation. In February 2021, HUD reported specific actions planned to address this recommendation. Specifically, the department intends to update the templates for its agreements and establish new procedures to require monitoring of progress in implementing controls/corrective actions by external entities that process, store, or share sensitive information with HUD. We will continue to monitor the implementation of this recommendation.
Department of Housing and Urban Development	The Secretary of Housing and Urban Development should direct the Chief Information Officer, Senior Agency Official for Privacy, and Chief Privacy Officer to develop and maintain a comprehensive systems inventory that incorporates sufficient, reliable information about the external entities with which HUD program information is shared and the extent to which each external entity has access to PII and other sensitive information. (Recommendation 5)	Open HUD did not agree or disagree with the recommendation. In February 2021, HUD reported on specific actions planned for addressing this recommendation. Specifically, the department intends to develop and maintain an inventory of systems that share information with external entities, including sufficient, reliable information about the entities, the information shared, and each entity's level of access. In addition, HUD intends to develop procedures for maintaining the inventory; ensuring that HUD IT officials collect comprehensive information about whether external entities are implementing leading practices and protecting sensitive information; and requiring program offices and system owners to ensure that all types of external entities protect information. We will continue to monitor the implementation of this recommendation.