Skip to main content

Information Security

Jump To:

Recent Reports

View More Reports

Open Recommendations

Cybersecurity: Network Monitoring Program Needs Further Guidance and Actions
GAO-25-107470
Jun 11, 2025
Show
4 Open Recommendations
Agency Affected Recommendation Status
Department of Homeland Security The Secretary of Homeland Security should direct the Director of the Cybersecurity and Infrastructure Security Agency to issue guidance to help facilitate agencies' implementation of the network security management and data protection management capabilities within the CDM program. (Recommendation 1)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Homeland Security The Secretary of Homeland Security should direct the Director of the Cybersecurity and Infrastructure Security Agency to develop milestones for addressing data quality issues on an ongoing basis. (Recommendation 2)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Homeland Security The Secretary of Homeland Security should direct the Director of the Cybersecurity and Infrastructure Security Agency to work with the 23 civilian Chief Financial Officers Act agencies to ensure that willing agencies are onboarded to the Persistent Access Capability. (Recommendation 3)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Homeland Security The Secretary of Homeland Security should direct the Director of the Cybersecurity and Infrastructure Security Agency to update the agency's strategy associated with its cloud asset management activities to include required resources, provide the strategy to agencies, and implement the strategy. (Recommendation 4)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Spectrum IT Modernization: NTIA Should Fully Incorporate Cybersecurity and Interoperability Practices
GAO-25-107509
May 22, 2025
Show
5 Open Recommendations
Agency Affected Recommendation Status
National Telecommunications and Information Administration The NTIA Administrator should direct the IT Division in the Office of Policy Coordination and Management to work with the Office of Spectrum Management to develop an organizational risk management strategy that includes a determination of organizational risk tolerance, acceptable risk assessment methodologies, and details on strategies for responding to risks (such as risk acceptance, mitigation, or avoidance). (Recommendation 1)
Open
NTIA agreed with this recommendation and stated in May 2025 that it will prepare a formal action plan to address it.
National Telecommunications and Information Administration The NTIA Administrator should direct the IT Division in the Office of Policy Coordination and Management to work with the Office of Spectrum Management to develop an organizational risk assessment that leverages aggregated information from system-level risk assessment results and risk considerations relevant at the organization level. (Recommendation 2)
Open
NTIA agreed with this recommendation and stated in May 2025 that it will prepare a formal action plan to address it.
National Telecommunications and Information Administration The NTIA Administrator should direct the IT Division in the Office of Policy Coordination and Management to work with the Department of Commerce and the NTIA Office of Spectrum Management to ensure and document that system security plans for NTIA's spectrum IT systems are reviewed, at a minimum, annually, and include logs detailing the date of review and resulting changes. (Recommendation 3)
Open
NTIA agreed with this recommendation and stated in May 2025 that it will prepare a formal action plan to address it.
National Telecommunications and Information Administration The NTIA Administrator should direct the IT Division in the Office of Policy Coordination and Management to work with the Office of Spectrum Management to fully document identity, credential, and access management procedures for its cloud systems, including identification of authorized users and their roles, and associated access privileges, for each of its spectrum IT legacy systems. (Recommendation 4)
Open
NTIA agreed with this recommendation and stated in May 2025 that it will prepare a formal action plan to address it.
National Telecommunications and Information Administration The NTIA Administrator should direct the IT Division in the Office of Policy Coordination and Management to work with the Office of Spectrum Management to specify a time frame for developing a data governance plan that resolves conflicts related to the application of NTIA's new data standard and defines roles and responsibilities for making decisions regarding the standard. (Recommendation 5)
Open
NTIA agreed with this recommendation and stated in May 2025 that it will prepare a formal action plan to address it.

Human Genomic Data: HHS Could Better Track Use of Foreign Testing Entities and Strengthen Oversight of Security Measures
GAO-25-107377
Apr 30, 2025
Show
4 Open Recommendations
Agency Affected Recommendation Status
Department of Health and Human Services The Secretary of HHS should direct that ONS develop and disseminate training and guidance on supply chain risk assessment standards that enable operating divisions to implement effective risk management for genomic data security while maintaining a focus on their core missions. (Recommendation 1)
Open
HHS concurred with this recommendation. We will update the status of the recommendation when we receive information on steps HHS has taken to address it.
National Institutes of Health The director of NIH should direct that NIH begin systematically tracking the extent to which intramural and extramural researchers use genetic services provided by entities with ties to countries of concern. (Recommendation 2)
Open
NIH concurred with this recommendation. We will update the status of the recommendation when we receive information on steps NIH has taken to address it.
National Institutes of Health The director of NIH should require the development and implementation of procedures to proactively and comprehensively monitor researcher compliance with data management and security measures for human genomic data. (Recommendation 3)
Open
NIH concurred with this recommendation. We will update the status of the recommendation when we receive information on steps NIH has taken to address it.
Centers for Disease Control and Prevention The director of CDC should direct CDC to develop and implement procedures, across all its centers that maintain restricted-access repositories with human genomic information, to proactively and comprehensively monitor researcher compliance with data management and security measures. (Recommendation 4)
Open
CDC concurred with this recommendation. We will update the status of the recommendation when we receive information on steps CDC has taken to address it.

Internet of Things: Federal Actions Needed to Address Legislative Requirements
GAO-25-107179
Dec 04, 2024
Show
10 Open Recommendations
Agency Affected Recommendation Status
Office of Management and Budget The Director of OMB should verify agency-reported IoT cybersecurity waivers. (Recommendation 1)
Open
At the time of our report, OMB did not comment on the draft report. Subsequently, in January 2025, OMB issued new guidance on identifying and securing IoT and operational technology (OT) devices. The guidance reiterated requirements for agencies to develop IoT and OT inventories of and for IoT waivers to be signed by the agency head and be provided to the agency Chief Information Officer (CIO). The guidance states that CIOs must make these waivers available to OMB, upon request, and to ensure that such waivers are documented in relevant system security plans. However, OMB has yet to demonstrate that it is verifying agency-reported IoT waivers. We will continue to review OMB's activities in this area.
Department of Education The Secretary of Education should direct the CIO to complete the covered IoT inventory within the revised time frame it has proposed. (Recommendation 2)
Open
In December 2024, agency officials stated that the agency was in the process of inventorying its IoT assets and that the inventory would be completed around the end of calendar year 2024. As of May 2025, we have not received an update on the status of the inventory effort. We will continue to review the department's progress in this area.
Department of Health and Human Services The Secretary of HHS should direct the CIO to complete the covered IoT inventory within the revised time frame it has proposed. (Recommendation 3)
Open
In December 2024, agency officials stated that the agency was evaluating potential solutions for completing its IoT inventory and would develop a target date to finalize the initial inventory. As of May 2025, we have not received an update on the status of the inventory effort. We will continue to review the department's progress in this area.
Department of Labor The Secretary of Labor should direct the CIO to establish a plan and time frame for completing the covered IoT inventory, as directed by OMB. (Recommendation 4)
Open
In April 2025, agencies officials noted that due to limited resources and competing priorities (such as zero trust initiatives and implementing OMB's Memorandum M-24-15: Modernizing the Federal Risk and Authorization Management Program) progress on establishing a plan and time frame for completing the covered IoT inventory was delayed. They estimated the tasks would be completed by the end of fiscal year 2025. We will continue to follow the department's progress in this area.
Department of Veterans Affairs The Secretary of Veterans Affairs should direct the CIO to establish a plan and time frame for completing the covered IoT inventory, as directed by OMB. (Recommendation 5)
Open
In May 2025, agency officials stated that VA was in the process of updating the policies and contract security processes that support the procurement of IoT and medical devices. They also described activities to address OMB's covered IoT inventory requirements, including verifying IoT asset data. The planned efforts are scheduled to be completed by September 30, 2025. We will continue to review the department's progress in this area.
Environmental Protection Agency The Administrator of the Environmental Protection Agency should direct the CIO to complete the covered IoT inventory within the revised time frame it has proposed. (Recommendation 6)
Open
In December 2024, EPA agency officials provided steps the agency planned to take to finalize the Office of Management and Budget's covered IoT inventory requirements and stated that the inventory would be completed by February 28, 2025. As of May 2025, we have not received an update on the status of the inventory effort. We will continue to review the department's progress in this area.
View More Recommendations

Related Pages

GAO Contacts