Skip to main content

Image

Information Security

Jump To:

Image

Open Recommendations

Future of Cybersecurity: Leadership Needed to Fully Define Quantum Threat Mitigation Strategy

GAO-25-107703
Nov 21, 2024
Show
1 Open Recommendations
Agency Affected Recommendation Status
Office of the National Cyber Director The National Cyber Director should (1) lead the coordination of the national quantum computing cybersecurity strategy and (2) ensure that the strategy's various documents address all the desirable characteristics of a national strategy. (Recommendation 1)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Critical Infrastructure Protection: EPA Urgently Needs a Strategy to Address Cybersecurity Risks to Water and Wastewater Systems

GAO-24-106744
Aug 01, 2024
Show
4 Open Recommendations
Agency Affected Recommendation Status
Environmental Protection Agency The Administrator of EPA should, as required by law, conduct a water sector risk assessment, considering physical security and cybersecurity threats, vulnerabilities, and consequences. (Recommendation 1)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Environmental Protection Agency The Administrator of EPA should develop and implement a risk-informed cybersecurity strategy, in coordination with other federal and sector stakeholders, to guide its water sector cybersecurity programs. Such a strategy should include information from a risk assessment and should identify objectives, activities, and performance measures; roles, responsibilities, and coordination; and needed resources and investments. (Recommendation 2)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Environmental Protection Agency The Administrator of EPA should evaluate its existing legal authorities for carrying out EPA's cybersecurity responsibilities and seek any needed enhancements to such authorities from the administration and Congress. (Recommendation 3)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Environmental Protection Agency The Administrator of EPA should submit the Vulnerability Self-Assessment Tool (VSAT) for independent peer review and revise the tool as appropriate. (Recommendation 4)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

IT Systems Annual Assessment: DOD Needs to Strengthen Software Metrics and Address Continued Cybersecurity and Reporting Gaps

GAO-24-106912
Jul 11, 2024
Show
1 Open Recommendations
Agency Affected Recommendation Status
Department of Defense We are making one recommendation to the Department of Defense that the Secretary direct the Chief Information Officer and Under Secretary of Defense for Acquisition and Sustainment to ensure that IT business programs developing software use the metrics and management tools required by DOD and consistent with those identified in GAO's Agile Assessment Guide.
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Personnel Vetting: DOD Needs to Enhance Cybersecurity of Background Investigation Systems

GAO-24-106179
Jun 20, 2024
Show
10 Open Recommendations
Agency Affected Recommendation Status
Department of Defense The Secretary of Defense, in coordination with the DCSA Director, should ensure DCSA's Chief Information Officer identifies and documents all stages of the information life cycle for each information type the system processes, stores, or transmits. (Recommendation 1)
Open
DOD agreed with this recommendation with comment. In its written comments, DCSA acknowledged that the data flow and boundary artifacts for the National Background Investigation Services (NBIS) and legacy systems partially complied with the National Institute of Technology (NIST 800-53) Revision 5 requirements. They stated that the DCSA CIO and Chief Information Security Officer will integrate NBIS and legacy systems into its existing to ensure senior DCSA officials fully implement all recommended tasks to include those for privacy controls. to ensure senior DCSA officials fully implement all recommended tasks to include those for privacy controls. Further, DCSA stated it will audit documentation of NBIS/legacy systems external inventory/application services no later than August 30, 2024.
Department of Defense The Secretary of Defense, in coordination with the DCSA Director, should ensure DCSA's Chief Information Officer completes system-level risk assessments and documents the results. (Recommendation 4)
Open
DOD agreed with this recommendation, with comment. In its written response, DCSA stated it will integrate NBIS/legacy systems into its existing oversight processes, including execution of the Cybersecurity Product Evaluations (CPE) process to perform initial risk assessments no later than October 2024. The CPE process is a structured product vetting effort developed to ensure all products being considered for inclusion in DCSA networks are properly and uniformly analyzed for compliance with DOD and DCSA security regulations.
Department of Defense The Secretary of Defense, in coordination with the DCSA Director, should ensure DCSA's Chief Information Officer allocates security and privacy requirements to the system and to the environment in which the system operates and documents the results. (Recommendation 5)
Open
DOD agreed with this recommendation, with comment. In its written comments, DCSA stated it would conduct a comprehensive review of NBIS/legacy systems control postures no later than July 2024. Additionally, DCSA noted they have a coordinated a concerted effort to begin the administrative and technical transition of the automated system of record eMASS to accommodate the migration from Revision 4 controls to the Revision 5 control set.
Department of Defense The Secretary of Defense, in coordination with the DCSA Director, should ensure DCSA's Chief Information Officer establishes an oversight process to ensure senior officials complete all tasks in the risk management framework's prepare step. (Recommendation 6)
Open
DOD agreed with this recommendation, with comment. In its written comments, DCSA stated it would address the remaining incomplete tasks in the risk management framework's prepare step, no later than March 30, 2025.
Department of Defense The Secretary of Defense, in coordination with the DCSA Director, should ensure DCSA's Chief Information Officer updates the selected security control baselines for NBIS and legacy systems to correspond with the current version of NIST Special Publication 800-53 after DOD updates the relevant guidance. (Recommendation 7)
Open
DOD agreed with this recommendation, with comment. In it written comments, DCSA reiterated its plan to conduct a comprehensive review of NBIS/legacy systems control postures no later than July 2024.
Department of Defense The Secretary of Defense should ensure DOD's Chief Information Officer updates the department's policies and procedures related to the Risk Management Framework to use the current version of NIST Special Publication 800-53. (Recommendation 8)
Open
DOD did not agree with this recommendation; however, we continue to believe the recommendation is warranted. DOD issued a memo in October 2023 announcing the department's adoption and transition timeline to NIST Special Publication 800-53 Revision 5. According to the memo, systems that have a current authorization decision should develop a strategy and schedule for the transition that must not exceed the system re-authorization timeline of every three years. The six background investigation systems we selected each received approval or authorization to operate on the DOD network between July 2023 and November 2023. Thus, these six systems will need to establish strategies and schedules within three years of their authorization dates. DOD needs to provide documentation of DCSA's strategy and schedule for implementing these additional controls.

GAO Contacts