Skip to main content

Image

Information Security

Jump To:

Image

Open Recommendations

Cybersecurity: Improvements Needed in Addressing Risks to Operational Technology

GAO-24-106576
Mar 07, 2024
Show
4 Open Recommendations
Agency Affected Recommendation Status
Cybersecurity and Infrastructure Security Agency The Director of CISA should (1) measure customer service for all of its OT products and services and (2) use the results of such measures to make improvements to the products and services. (Recommendation 1)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Cybersecurity and Infrastructure Security Agency The Director of CISA should (1) develop OT competency and staffing requirements, (2) assess OT competency and staffing gaps, and (3) develop strategies for filling any gaps. (Recommendation 2)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Cybersecurity and Infrastructure Security Agency The Director of CISA should issue guidance on how SRMAs should update sector-specific plans that reflects the five selected leading collaboration practices when agencies are mitigating cyber OT risks. (Recommendation 3)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Cybersecurity and Infrastructure Security Agency The Director of CISA should (1) develop an agency-wide policy on agreements with SRMAs regarding collaboration to mitigate OT risks and (2) implement that policy with the selected agencies. (Recommendation 4)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Artificial Intelligence: Fully Implementing Key Practices Could Help DHS Ensure Responsible Use for Cybersecurity

GAO-24-106246
Feb 07, 2024
Show
8 Open Recommendations
Agency Affected Recommendation Status
Department of Homeland Security The Chief Technology Officer should expand its review process to include steps to verify the accuracy of its AI inventory submissions. (Recommendation 1)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Homeland Security The Director of CISA should develop metrics to consistently measure progress toward all stated goals and objectives for Automated PII Detection. (Recommendation 2)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Homeland Security The Director of CISA should clearly define the roles and responsibilities and delegation of authority of all relevant stakeholders involved in managing and overseeing the implementation of the Automated PII Detection component to ensure effective operations and sustained oversight. (Recommendation 3)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Homeland Security The Director of CISA should document the sources and origins of data used to develop the Automated PII Detection component. (Recommendation 4)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Homeland Security The Director of CISA should take steps to assess and document the reliability of data used to enhance the representativeness, quality, and accuracy of the Automated PII Detection component. (Recommendation 5)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Homeland Security The Director of CISA should document its process for optimizing the elements used within the Automated PII Detection component. (Recommendation 6)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Cybersecurity: National Cyber Director Needs to Take Additional Actions to Implement an Effective Strategy

GAO-24-106916
Feb 01, 2024
Show
2 Open Recommendations
Agency Affected Recommendation Status
Office of the National Cyber Director The Director of ONCD should work with relevant federal entities to assess the initiatives that lend themselves to outcome-oriented performance measures and develop such performance measures for those initiatives in a timely manner to gauge effectiveness in meeting the goals and objectives of the National Cybersecurity Strategy. (Recommendation 1)
Open
ONCD agreed with this recommendation and said it will assess the initiatives to identify those that warrant outcome-oriented performance measures. When we confirm what actions ONCD has taken in response to this recommendation, we will provide updated information.
Office of the National Cyber Director The Director of ONCD should work with relevant federal entities to assess the initiatives to identify those that warrant a cost estimate and develop such cost estimates. (Recommendation 2)
Open
ONCD disagreed with this recommendation. We continue to believe that the recommendation is valid because we identified initiatives that may require significant costs. As such, we will monitor ONCD's efforts to address this recommendation.

Cloud Security: Federal Authorization Program Usage Increasing, but Challenges Need to Be Fully Addressed

GAO-24-106591
Jan 18, 2024
Show
3 Open Recommendations
Agency Affected Recommendation Status
Office of Management and Budget The Director of OMB, in collaboration with the FedRAMP PMO, should issue guidance to agencies to ensure that they consistently track and report the costs of sponsoring a FedRAMP authorization of cloud services. (Recommendation 1)
Open
In October 2023, OMB published proposed guidance for public comment to modernize the FedRAMP program, as required by the FedRAMP Authorization Act (44 U.S.C. ? 3608-3616). The proposed guidance calls for the FedRAMP program management office and the FedRAMP board to seek feedback from industry on how to reduce the burden and cost of the FedRAMP authorization process for both federal agencies and cloud service providers. OMB requested that agencies report aggregated cloud security costs but did not ask agencies to separately track and report the specific costs for sponsoring the authorizations or provide them with guidance on how to track these costs. As a result, we recommended that OMB issue guidance to ensure agencies consistently track and report the costs of sponsoring a FedRAMP authorization. OMB did not comment on the recommendation. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Office of Management and Budget The Director of OMB should finalize and implement the proposed new FedRAMP guidance, to include addressing the challenges identified in this report. (Recommendation 2)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
General Services Administration The Administrator of General Services should direct the Director of FedRAMP to develop a plan, including firm time frames, for issuing guidance on how CSPs can navigate the FIPS 140-3 cryptographic requirements. (Recommendation 3)
Open
GSA agreed with the recommendation. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.