Skip to main content

Information Security

Jump To:

Recent Reports

View More Reports

Open Recommendations

Weapon System Sustainment: DOD Can Improve Planning and Management of Data Rights [Reissued with revisions on Sep. 29, 2025]
GAO-25-107468
Sep 29, 2025
Show
4 Open Recommendations
Agency Affected Recommendation Status
Congress Congress should consider clarifying how DOD and contractors should treat detailed manufacturing or process data that is necessary for OMIT purposes. (Matter for Consideration 1)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Defense The Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD A&S) should ensure the Director of the IP Cadre updates the IP guidebook or produces guidance to address the courses of action available to programs in sustainment to obtain IP and data rights. (Recommendation 1)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Defense OUSD A&S should ensure the Director of the IP Cadre formally assesses available tools to assist programs with the review of data deliverables, in coordination with officials responsible for the tools' development. (Recommendation 2)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Defense OUSD A&S should ensure the Director of the IP Cadre establishes a process to collect and distribute IP and data rights lessons learned from programs in sustainment. (Recommendation 3)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

DOD Cyberspace Operations: About 500 Organizations Have Roles, with Some Potential Overlap
GAO-25-107121
Sep 17, 2025
Show
2 Open Recommendations
Agency Affected Recommendation Status
Department of Defense The Secretary of Defense should ensure that the Assistant Secretary of Defense for Cyber Policy assesses the extent to which similar cyberspace training courses provided by the services overlap and can be consolidated to ensure that the military services are implementing a federated and joint training model in a manner that achieves efficiencies and reduces training development and delivery costs. (Recommendation 1)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Defense The Secretary of Defense should ensure that the Assistant Secretary of Defense for Cyber Policy assesses the extent to which there are opportunities to achieve cost savings and efficiencies by consolidating DOD cybersecurity service providers. (Recommendation 2)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Cybersecurity: NASA Needs to Fully Implement Risk Management
GAO-25-108138
Jun 25, 2025
Show
16 Open Recommendations
Agency Affected Recommendation Status
National Aeronautics and Space Administration The NASA Administrator should ensure that NASA's Chief Information Officer prepares and approves an organization-wide cybersecurity risk assessment. (Recommendation 1)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
National Aeronautics and Space Administration The NASA Administrator should direct NASA's Chief Information Officer to ensure that the documented impact levels for confidentiality, integrity, and availability for all systems match the risk of the system, and that any changes to the provisional impact levels are fully justified in accordance with NASA policy. (Recommendation 2)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
National Aeronautics and Space Administration The NASA Administrator should direct NASA's Chief Information Officer to update its guidance to include oversight responsibilities for ensuring NASA-defined control baselines are properly applied when baselines are updated. (Recommendation 3)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
National Aeronautics and Space Administration The NASA Administrator should direct NASA's Chief Information Officer to update its policies to provide more specific guidance about how to document assessment results for all types of critical controls including inherited controls. (Recommendation 4)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
National Aeronautics and Space Administration The NASA Administrator should direct NASA's Chief Information Officer to ensure that all critical controls for the first system found to be unsatisfied during security control assessments include recommendations and a residual risk level. (Recommendation 5)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
National Aeronautics and Space Administration The NASA Administrator should direct NASA's Chief Information Officer to ensure that all critical controls for the second system found to be unsatisfied during security control assessments include recommendations and a residual risk level. (Recommendation 6)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Cybersecurity: Network Monitoring Program Needs Further Guidance and Actions
GAO-25-107470
Jun 11, 2025
Show
4 Open Recommendations
Agency Affected Recommendation Status
Department of Homeland Security The Secretary of Homeland Security should direct the Director of the Cybersecurity and Infrastructure Security Agency to issue guidance to help facilitate agencies' implementation of the network security management and data protection management capabilities within the CDM program. (Recommendation 1)
Open
As of June 2025, DHS has not provided sufficient evidence to close this recommendation. We will continue to follow-up with the agency.
Department of Homeland Security The Secretary of Homeland Security should direct the Director of the Cybersecurity and Infrastructure Security Agency to develop milestones for addressing data quality issues on an ongoing basis. (Recommendation 2)
Open
As of June 2025, DHS has not provided sufficient evidence to close this recommendation. We will continue to follow-up with the agency.
Department of Homeland Security The Secretary of Homeland Security should direct the Director of the Cybersecurity and Infrastructure Security Agency to work with the 23 civilian Chief Financial Officers Act agencies to ensure that willing agencies are onboarded to the Persistent Access Capability. (Recommendation 3)
Open
As of June 2025, DHS has not provided sufficient evidence to close this recommendation. We will continue to follow-up with the agency.
Department of Homeland Security The Secretary of Homeland Security should direct the Director of the Cybersecurity and Infrastructure Security Agency to update the agency's strategy associated with its cloud asset management activities to include required resources, provide the strategy to agencies, and implement the strategy. (Recommendation 4)
Open
As of June 2025, DHS has not provided sufficient evidence to close this recommendation. We will continue to follow-up with the agency.
View More Recommendations

Related Pages

GAO Contacts