Image

Open Recommendations

Cybersecurity and Infrastructure Security Agency: Actions Needed to Ensure Organizational Changes Result in More Effective Cybersecurity for Our Nation

GAO-21-236
Mar 10, 2021
Show
11 Open Recommendations
Agency Affected Recommendation Status
Cybersecurity and Infrastructure Security Agency The Director of CISA should establish expected completion dates for those phase three tasks that are past their completion dates, with priority given to those tasks critical to mission effectiveness. (Recommendation 1)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Cybersecurity and Infrastructure Security Agency The Director of CISA should establish an overall deadline for the completion of the transformation initiative. (Recommendation 2)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Cybersecurity and Infrastructure Security Agency The Director of CISA should establish plans, including time frames, for developing outcome-oriented performance measures to gauge the extent to which the agency's efforts are meeting the goals of the organizational transformation. (Recommendation 3)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Cybersecurity and Infrastructure Security Agency The Director of CISA should collect input to ensure that organizational changes are aligned with the needs of stakeholders, taking into account coordination challenges identified in this report. (Recommendation 4)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Cybersecurity and Infrastructure Security Agency The Director of CISA should establish processes for monitoring the effects of efforts to reduce fragmentation, overlap, and duplication including identifying potential cost savings. (Recommendation 5)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Cybersecurity and Infrastructure Security Agency The Director of CISA should establish an approach, including time frames, for measuring outcomes of the organizational transformation, including customer satisfaction with organizational changes. (Recommendation 6)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Aviation Cybersecurity: FAA Should Fully Implement Key Practices to Strengthen Its Oversight of Avionics Risks

GAO-21-86
Oct 09, 2020
Show
6 Open Recommendations
Agency Affected Recommendation Status
Federal Aviation Administration The FAA Administrator should direct the Associate Administrator for Aviation Safety to conduct a risk assessment of avionics systems cybersecurity to identify the relative priority of avionics cybersecurity risks for its oversight program compared to other safety concerns and develop a plan to address those risks. (Recommendation 1)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Federal Aviation Administration The FAA Administrator should direct the Associate Administrator for Aviation Safety, based on the assessment of avionics cybersecurity risks, to identify staffing and training needs for agency inspectors specific to avionics cybersecurity, and develop and implement appropriate training to address identified needs. (Recommendation 2)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Federal Aviation Administration The FAA Administrator should direct the Associate Administrator for Aviation Safety, based on the assessment of avionics cybersecurity risks, to develop and implement guidance for avionics cybersecurity testing of new airplane designs that includes independent testing. (Recommendation 3)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Federal Aviation Administration The FAA Administrator should direct the Associate Administrator for Aviation Safety, based on the assessment of avionics cybersecurity risks, to review and consider revising its policies and procedures for monitoring the effectiveness of avionics cybersecurity controls in the deployed fleet to include developing procedures for safely conducting independent testing. (Recommendation 4)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Federal Aviation Administration The FAA Administrator should direct the Associate Administrator for Aviation Safety to develop a mechanism to ensure that avionics cybersecurity issues are appropriately tracked and resolved when coordinating among internal stakeholders. (Recommendation 5)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Federal Aviation Administration The FAA Administrator should direct the Associate Administrator for Aviation Safety, based on the assessment of avionics cybersecurity risks, to review and consider the extent to which oversight resources should be committed to avionics cybersecurity. (Recommendation 6)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Cybersecurity: Clarity of Leadership Urgently Needed to Fully Implement the National Strategy

GAO-20-629
Sep 22, 2020
Show
2 Open Recommendations
Agency Affected Recommendation Status
National Security Council The Chairman of the National Security Council, or his designee, should work with relevant federal entities to update strategy documents related to the nation's cybersecurity to better reflect desirable characteristics of a national strategy, to include:<br><br>&#149; an assessment of cyber-related risk, based on an analysis of the threats to, and vulnerabilities of, critical assets and operations;<br><br>&#149; measures of performance and formal mechanism to track progress of the execution of activities; and<br><br>&#149; an analysis of the cost and resources needed to implement the National Cyber Strategy. (Recommendation 1)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Congress Congress should consider legislation to designate a leadership position in the White House with the commensurate authority&#151;for example, over budgets and resources&#151;to implement and encourage action in support of the nation's cyber critical infrastructure, including the implementation of the National Cyber Strategy. (Matter for Consideration 1)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Information Security and Privacy: HUD Needs a Major Effort to Protect Data Shared with External Entities

GAO-20-431
Sep 21, 2020
Show
5 Open Recommendations
Agency Affected Recommendation Status
Department of Housing and Urban Development The Secretary of Housing and Urban Development should direct the Chief Information Officer, Senior Agency Official for Privacy, and Chief Privacy Officer to review and revise department-level security and privacy policies to ensure that they require the implementation of risk-based security and privacy controls for external entities that process, store, or share sensitive information with HUD. (Recommendation 1)
Open
HUD did not agree or disagree with the recommendation. In February 2021, HUD reported specific actions planned to address this recommendation. Specifically, the department plans to update policies and procedures, templates for agreements, and contract language in new or updated contracts regarding requirements for implementation of risk-based security and privacy controls for external entities that process, store, or share sensitive information with HUD. In addition, the department intends to develop additional procedures focused on oversight of external entities' compliance with security and privacy requirements. We will continue to monitor the implementation of this recommendation.
Department of Housing and Urban Development The Secretary of Housing and Urban Development should direct the Chief Information Officer, Senior Agency Official for Privacy, and Chief Privacy Officer to review and revise department-level security and privacy policies to ensure that they require independent assessments of external entities that process, store, or share sensitive information with HUD to ensure controls are implemented. (Recommendation 2)
Open
HUD did not agree or disagree with the recommendation. In February 2021, HUD reported plans to address this recommendation by updating its security and privacy policies and templates for agreements to address requirements for independent assessments of external entities that process, store, or share sensitive information with HUD, including requiring approval of agreements by the Chief Information Office, Chief Information Security Office, and system owners. In addition, the department intends to develop additional procedures for overseeing compliance with these requirements. We will continue to monitor the implementation of this recommendation.
Department of Housing and Urban Development The Secretary of Housing and Urban Development should direct the Chief Information Officer, Senior Agency Official for Privacy, and Chief Privacy Officer to review and revise department-level security and privacy policies to ensure that they require identifying and tracking corrective action needed by external entities that process, store, or share sensitive information with HUD. (Recommendation 3)
Open
HUD did not agree or disagree with the recommendation. In February 2021, HUD reported specific plans for addressing this recommendation. Specifically, the department intends to update its templates for agreements and language in new and revised contracts to address requirements for identifying and tracking corrective action needed by external entities that process, store, or share sensitive information with HUD. In addition, the department plans to update its security procedures with requirements for other government, for-profit or nonprofit organizations to plan and manage corrective actions. We will continue to monitor the implementation of this recommendation.
Department of Housing and Urban Development The Secretary of Housing and Urban Development should direct the Chief Information Officer, Senior Agency Official for Privacy, and Chief Privacy Officer to review and revise department-level security and privacy policies to ensure that they require monitoring of progress in implementing controls/corrective actions by external entities that process, store, or share sensitive information with HUD. (Recommendation 4)
Open
HUD did not agree or disagree with the recommendation. In February 2021, HUD reported specific actions planned to address this recommendation. Specifically, the department intends to update the templates for its agreements and establish new procedures to require monitoring of progress in implementing controls/corrective actions by external entities that process, store, or share sensitive information with HUD. We will continue to monitor the implementation of this recommendation.
Department of Housing and Urban Development The Secretary of Housing and Urban Development should direct the Chief Information Officer, Senior Agency Official for Privacy, and Chief Privacy Officer to develop and maintain a comprehensive systems inventory that incorporates sufficient, reliable information about the external entities with which HUD program information is shared and the extent to which each external entity has access to PII and other sensitive information. (Recommendation 5)
Open
HUD did not agree or disagree with the recommendation. In February 2021, HUD reported on specific actions planned for addressing this recommendation. Specifically, the department intends to develop and maintain an inventory of systems that share information with external entities, including sufficient, reliable information about the entities, the information shared, and each entity's level of access. In addition, HUD intends to develop procedures for maintaining the inventory; ensuring that HUD IT officials collect comprehensive information about whether external entities are implementing leading practices and protecting sensitive information; and requiring program offices and system owners to ensure that all types of external entities protect information. We will continue to monitor the implementation of this recommendation.
GAO Contacts