Information Security

Recent Reports

COVID-19: Selected Agencies Overcame Technology Challenges to Support Telework but Need to Fully Assess Security Controls

GAO-21-583

Published: Sep 30, 2021.

Publicly Released: Sep 30, 2021.

GSA Online Marketplaces: Plans to Measure Progress and Monitor Data Protection Efforts Need Further Development

GAO-21-104572

Published: Sep 28, 2021.

Publicly Released: Sep 28, 2021.

Exposure Notification: Benefits and Challenges of Smartphone Applications to Augment Contact Tracing

GAO-21-104622

Published: Sep 09, 2021.

Publicly Released: Sep 09, 2021.

Cybersecurity and Information Technology: Federal Agencies Need to Strengthen Efforts to Address High-Risk Areas

GAO-21-105325

Published: Jul 28, 2021.

Publicly Released: Jul 28, 2021.

Critical Infrastructure Protection: TSA Is Taking Steps to Address Some Pipeline Security Program Weaknesses

GAO-21-105263

Published: Jul 27, 2021.

Publicly Released: Jul 27, 2021.

Veterans Affairs: Systems Modernization, Cybersecurity, and IT Management Issues Need to Be Addressed

GAO-21-105304

Published: Jul 01, 2021.

Publicly Released: Jul 01, 2021.

View More Reports

Open Recommendations

Cybersecurity: HHS Defined Roles and Responsibilities, but Can Further Improve Collaboration

GAO-21-403

Jun 28, 2021

Show

7 Open Recommendations

Agency Affected	Recommendation	Status
Department of Health and Human Services	The Secretary of HHS should direct the Chief Information Officer to coordinate cybersecurity information sharing between the Health Sector Cybersecurity Coordination Center and Healthcare Threat Operations Center. (Recommendation 1)	Open When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Health and Human Services	The Secretary of HHS should direct the Chief Information Officer to monitor, evaluate, and report on the progress and performance of the HHS Chief Information Security Officer Council, Continuous Monitoring and Risk Scoring Working Group, and Cloud Security Working Group. (Recommendation 2)	Open When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Health and Human Services	The Secretary of HHS should direct the Assistant Secretary for Preparedness and Response to monitor, evaluate, and report on the progress and performance of the Government Coordinating Council's Cybersecurity Working Group and HHS Cybersecurity Working Group. (Recommendation 3)	Open When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Health and Human Services	The Secretary of HHS should direct the Chief Information Officer to regularly monitor and update written agreements describing how the HHS Chief Information Security Officer Council, Continuous Monitoring and Risk Scoring Working Group, and Cloud Security Working Group will facilitate collaboration, and ensure that authorizing officials review and approve the updated agreements. (Recommendation 4)	Open When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Health and Human Services	The Secretary of HHS should direct the Assistant Secretary for Preparedness and Response to ensure that authorizing officials review and approve the charter describing how the HHS Cybersecurity Working Group will facilitate collaboration. (Recommendation 5)	Open When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Health and Human Services	The Secretary of HHS should direct the Assistant Secretary for Preparedness and Response to (1) finalize written agreements that include a description of how the Government Coordinating Council's Cybersecurity Working Group will collaborate, (2) identify the roles and responsibilities of the working group, (3) monitor and update the written agreements on a regular basis, and (4) ensure that authorizing officials leading the working group approve the finalized agreements. (Recommendation 6)	Open When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Cybersecurity and Infrastructure Security Agency: Actions Needed to Ensure Organizational Changes Result in More Effective Cybersecurity for Our Nation

GAO-21-236

Mar 10, 2021

Show

11 Open Recommendations

Agency Affected	Recommendation	Status
Department of Homeland Security	The Director of CISA should establish expected completion dates for those phase three tasks that are past their completion dates, with priority given to those tasks critical to mission effectiveness. (Recommendation 1)	Open CISA concurred with this recommendation and in March 2021 agency leadership issued a memorandum that directed several actions to transition transformation activities into operational tasks for implementation by CISA's divisions and mission support offices. However, CISA has not yet detailed how the remaining phase three tasks have been allocated to its divisions and mission support offices. In September 2021, CISA stated that it will provide updated documentation to show the tasks have been allocated by December 31, 2021. Once CISA has provided information, we plan to verify whether implementation has occurred.
Department of Homeland Security	The Director of CISA should establish an overall deadline for the completion of the transformation initiative. (Recommendation 2)	Open CISA concurred with this recommendation, and in March 2021 agency leadership issued a memorandum that directed several actions to transition transformation activities into operational tasks for implementation by CISA's divisions and mission support offices. According to CISA, this constituted the end of phase three of its transformation effort; however, CISA did not provide documentation which detailed how the remaining phase three tasks have been allocated to its divisions and mission support offices, or estimated time frames for completing these remaining tasks. In September 2021, the agency stated that it would provide additional documentation of these activities by December 31, 2021. Once CISA has provided this information, we will verify whether implementation has occurred.
Department of Homeland Security	The Director of CISA should establish plans, including time frames, for developing outcome-oriented performance measures to gauge the extent to which the agency's efforts are meeting the goals of the organizational transformation. (Recommendation 3)	Open CISA concurred with this recommendation and in September 2021 described actions planned and under way to implement it. Specifically, the agency stated that it is developing a draft workplan and timeline to identify metrics and establish an outcome-oriented performance measurement approach. Once complete, CISA stated that this plan will, among other things, gauge the agency's efforts to meet the identified goals of the organizational transformation. CISA plans to complete its effort to identify outcome-oriented performance measures by March 31, 2022. Once CISA has provided documentation of its efforts, will will verify whether implementation has occurred.
Department of Homeland Security	The Director of CISA should collect input to ensure that organizational changes are aligned with the needs of stakeholders, taking into account coordination challenges identified in this report. (Recommendation 4)	Open CISA concurred with this recommendation and in September 2021 stated that it will continue to work with other Sector Risk Management Agencies (SRMA) and with sector partners to define measures and associated data collection processes and procedures necessary to evaluate the effectiveness and performance of SRMAs. This will include the extent to which organizational changes within CISA, or any other SRMA, are aligned with the needs of sector stakeholders. CISA plans to complete this effort by December 30, 2022. Once CISA provides documentation of its actions, will will verify whether implementation has occurred.
Department of Homeland Security	The Director of CISA should establish processes for monitoring the effects of efforts to reduce fragmentation, overlap, and duplication including identifying potential cost savings. (Recommendation 5)	Open CISA concurred with this recommendation and in September 2021 stated that it has conducted an initial methodological assessment of potential approaches to measure fragmentation, duplication, and overlap, as well as an initial review of a baseline analysis. Further, the agency stated that it plans to further refine its measurement approach, including estimates of cost savings generated by the reorganization. CISA plans to complete this effort by December 30, 2022. Once the agency provides documentation of its actions, we plan to verify that implementation has occurred.
Department of Homeland Security	The Director of CISA should establish an approach, including time frames, for measuring outcomes of the organizational transformation, including customer satisfaction with organizational changes. (Recommendation 6)	Open CISA concurred with this recommendation and in September 2021 stated that its Infrastructure Security Division , supported by the Stakeholder Engagement Division, will work with Sector Risk Management Agencies (SRMA) and with sector partners to define performance measures and associated data collection processes and procedures necessary to evaluate the overall performance and effectiveness of SRMAs. This will include customer satisfaction with organizational changes in CISA or other SRMAs. CISA plans to complete this effort by December 30, 2022. Once the agency has provided documentation of its actions, we plan to verify whether implementation has occurred.

Aviation Cybersecurity: FAA Should Fully Implement Key Practices to Strengthen Its Oversight of Avionics Risks

GAO-21-86

Oct 09, 2020

Show

6 Open Recommendations

Agency Affected	Recommendation	Status
Federal Aviation Administration	The FAA Administrator should direct the Associate Administrator for Aviation Safety to conduct a risk assessment of avionics systems cybersecurity to identify the relative priority of avionics cybersecurity risks for its oversight program compared to other safety concerns and develop a plan to address those risks. (Recommendation 1)	Open When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Federal Aviation Administration	The FAA Administrator should direct the Associate Administrator for Aviation Safety, based on the assessment of avionics cybersecurity risks, to identify staffing and training needs for agency inspectors specific to avionics cybersecurity, and develop and implement appropriate training to address identified needs. (Recommendation 2)	Open When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Federal Aviation Administration	The FAA Administrator should direct the Associate Administrator for Aviation Safety, based on the assessment of avionics cybersecurity risks, to develop and implement guidance for avionics cybersecurity testing of new airplane designs that includes independent testing. (Recommendation 3)	Open When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Federal Aviation Administration	The FAA Administrator should direct the Associate Administrator for Aviation Safety, based on the assessment of avionics cybersecurity risks, to review and consider revising its policies and procedures for monitoring the effectiveness of avionics cybersecurity controls in the deployed fleet to include developing procedures for safely conducting independent testing. (Recommendation 4)	Open When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Federal Aviation Administration	The FAA Administrator should direct the Associate Administrator for Aviation Safety to develop a mechanism to ensure that avionics cybersecurity issues are appropriately tracked and resolved when coordinating among internal stakeholders. (Recommendation 5)	Open When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Federal Aviation Administration	The FAA Administrator should direct the Associate Administrator for Aviation Safety, based on the assessment of avionics cybersecurity risks, to review and consider the extent to which oversight resources should be committed to avionics cybersecurity. (Recommendation 6)	Open When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Cybersecurity: Clarity of Leadership Urgently Needed to Fully Implement the National Strategy

GAO-20-629

Sep 22, 2020

Show

1 Open Recommendations

Agency Affected	Recommendation	Status
National Security Council	The Chairman of the National Security Council, or his designee, should work with relevant federal entities to update strategy documents related to the nation's cybersecurity to better reflect desirable characteristics of a national strategy, to include: an assessment of cyber-related risk, based on an analysis of the threats to, and vulnerabilities of, critical assets and operations; measures of performance and formal mechanism to track progress of the execution of activities; and an analysis of the cost and resources needed to implement the National Cyber Strategy. (Recommendation 1)	Open We will follow-up with the Office of the National Cyber Director (NCD) on any efforts taken to address this recommendation.