Image

Open Recommendations

Office of Congressional Workplace Rights: Weaknesses in Cybersecurity Management and Oversight Need to Be Addressed

GAO-20-199
Feb 11, 2020
Show
5 Open Recommendations
Agency Affected Recommendation Status
Other The Executive Director should ensure the development and implementation of policies and procedures for incorporating key cybersecurity activities into IT project planning, including scheduling, requirements management, and risk management. (Recommendation 1)
Open

Recommendation status is Open.

When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Other The Executive Director should ensure the development and implementation of oversight procedures for each externally-operated system that include (1) establishing security and privacy requirements, (2) planning the assessment of security controls, (3) conducting the assessment, and, (4) reviewing the assessment. (Recommendation 2)
Open

Recommendation status is Open.

When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Other The Executive Director should ensure the establishment of roles and responsibilities for a risk executive function. (Recommendation 3)
Open

Recommendation status is Open.

When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Other The Executive Director should ensure the development and implementation of a cybersecurity risk management strategy. (Recommendation 4)
Open

Recommendation status is Open.

When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Other The Executive Director should ensure commitment to a time frame for developing and implementing policies and procedures for managing cybersecurity risk. (Recommendation 5)
Open

Recommendation status is Open.

When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Critical Infrastructure Protection: Actions Needed to Address Significant Cybersecurity Risks Facing the Electric Grid

GAO-19-332
Sep 25, 2019
Show
3 Open Recommendations
Agency Affected Recommendation Status
Department of Energy The Secretary of Energy, in coordination with DHS and other relevant stakeholders, should develop a plan aimed at implementing the federal cybersecurity strategy for the electric grid and ensure that the plan addresses the key characteristics of a national strategy, including a full assessment of cybersecurity risks to the grid. (Recommendation 1)
Open

Recommendation status is Open.

DOE concurred with this recommendation and said it is in the process of creating an implementation plan that will be released in the fall of 2019. When we confirm release of the plan, we will provide updated information.
Federal Energy Regulatory Commission FERC should consider our assessment and determine whether to direct the North American Electric Reliability Corporation (NERC) to adopt any changes to its cybersecurity standards to ensure those standards more fully address the NIST Cybersecurity framework and address current and projected risks. (Recommendation 2)
Open

Recommendation status is Open.

FERC concurred with this recommendation and said it would take steps to implement it. When we confirm any actions FERC takes in response to this recommendation, we will provide updated information.
Federal Energy Regulatory Commission FERC should (1) evaluate the potential risk of a coordinated cyberattack on geographically distributed targets and, (2) based on the results of that evaluation, determine whether to direct NERC to make any changes to the threshold for mandatory compliance with requirements in the full set of cybersecurity standards. (Recommendation 3)
Open

Recommendation status is Open.

FERC concurred with this recommendation and said it would take steps to implement it. When we confirm any actions FERC takes in response to this recommendation, we will provide updated information.

Federal Information Security: Agencies and OMB Need to Strengthen Policies and Practices

GAO-19-545
Jul 26, 2019
Show
2 Open Recommendations
Agency Affected Recommendation Status
Office of Management and Budget The Director of OMB should expand its coordination of CyberStat review meetings for those agencies with a demonstrated need for assistance in implementing information security. (Recommendation 2)
Open

Recommendation status is Open.

As of November 2019, we were still waiting to receive OMB's 180-day letter detailing the actions it plans to take to address the recommendation.
Office of Management and Budget The Director of OMB should collaborate with CIGIE to ensure that the inspector general reporting metrics include the FISMA-required information security program element for system security plans. (Recommendation 3)
Open

Recommendation status is Open.

As of November 2019, we were still waiting to receive OMB's 180-day letter detailing the actions it plans to take to address the recommendation.

Cybersecurity: Agencies Need to Fully Establish Risk Management Programs and Address Challenges

GAO-19-384
Jul 25, 2019
Show
58 Open Recommendations
Agency Affected Recommendation Status
Office of Management and Budget The Director of OMB should, in coordination with the Secretary of Homeland Security, establish guidance or other means to facilitate the sharing of successful approaches for agencies to address challenges in the areas of (1) managing competing priorities between cybersecurity and operations, such as when operational needs appear to conflict with cybersecurity requirements; (2) implementing consistent cybersecurity risk management policies and procedures across an agency; (3) incorporating cyber risks into enterprise risk management, and (4) establishing agencies' cybersecurity risk management strategies. (Recommendation 1)
Open

Recommendation status is Open.

When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Agriculture The Secretary of Agriculture should develop a cybersecurity risk management strategy that includes the key elements identified in this report. (Recommendation 2)
Open

Recommendation status is Open.

When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Agriculture The Secretary of Agriculture should update the department's policies to require (1) the use of risk assessments to inform security control tailoring and (2) the use of risk assessments to inform plan of actions and milestones (POA&M) prioritization. (Recommendation 3)
Open

Recommendation status is Open.

When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Agriculture The Secretary of Agriculture should establish and document a process for coordination between cybersecurity risk management and enterprise risk management functions. (Recommendation 4)
Open

Recommendation status is Open.

When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Commerce The Secretary of Commerce should update the department's policies to require (1) an organization-wide cybersecurity risk assessment and (2) the use of risk assessments to inform POA&M prioritization. (Recommendation 5)
Open

Recommendation status is Open.

When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Commerce The Secretary of Commerce should establish a process for conducting an organization-wide cybersecurity risk assessment. (Recommendation 6)
Open

Recommendation status is Open.

When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.