Image

Information Security

Recent Reports

Human Genomic Data: HHS Could Better Track Use of Foreign Testing Entities and Strengthen Oversight of Security Measures

Published: Apr 30, 2025

Publicly Released: Apr 30, 2025

Cybersecurity: DHS Implemented a Grant Program to Enable State, Local, Tribal, and Territorial Governments to Improve Security

Published: Apr 29, 2025

Publicly Released: Apr 29, 2025

Cloud Computing: Private Sector Leading Practices in Acquisition, Cybersecurity, and Workforce Development

Published: Mar 24, 2025

Publicly Released: Mar 24, 2025

Mission-Critical Information Technology: Agencies Are Monitoring Selected Acquisitions for Cybersecurity and Privacy Risks

Published: Mar 11, 2025

Publicly Released: Mar 11, 2025

Coast Guard: Additional Efforts Needed to Address Cybersecurity Risks to the Maritime Transportation System

Published: Feb 11, 2025

Publicly Released: Feb 11, 2025

Cybersecurity Workforce: Departments Need to Fully Implement Key Practices

Published: Jan 16, 2025

Publicly Released: Jan 16, 2025

View More Reports

Open Recommendations

Human Genomic Data: HHS Could Better Track Use of Foreign Testing Entities and Strengthen Oversight of Security Measures

Show

4 Open Recommendations

Agency Affected	Recommendation	Status
Department of Health and Human Services	The Secretary of HHS should direct that ONS develop and disseminate training and guidance on supply chain risk assessment standards that enable operating divisions to implement effective risk management for genomic data security while maintaining a focus on their core missions. (Recommendation 1)	Open When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
National Institutes of Health	The director of NIH should direct that NIH begin systematically tracking the extent to which intramural and extramural researchers use genetic services provided by entities with ties to countries of concern. (Recommendation 2)	Open When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
National Institutes of Health	The director of NIH should require the development and implementation of procedures to proactively and comprehensively monitor researcher compliance with data management and security measures for human genomic data. (Recommendation 3)	Open When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Centers for Disease Control and Prevention	The director of CDC should direct CDC to develop and implement procedures, across all its centers that maintain restricted-access repositories with human genomic information, to proactively and comprehensively monitor researcher compliance with data management and security measures. (Recommendation 4)	Open When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Internet of Things: Federal Actions Needed to Address Legislative Requirements

Show

11 Open Recommendations

Agency Affected	Recommendation	Status
Office of Management and Budget	The Director of OMB should verify agency-reported IoT cybersecurity waivers. (Recommendation 1)	Open When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Education	The Secretary of Education should direct the CIO to complete the covered IoT inventory within the revised time frame it has proposed. (Recommendation 2)	Open When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Health and Human Services	The Secretary of HHS should direct the CIO to complete the covered IoT inventory within the revised time frame it has proposed. (Recommendation 3)	Open When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Labor	The Secretary of Labor should direct the CIO to establish a plan and time frame for completing the covered IoT inventory, as directed by OMB. (Recommendation 4)	Open When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Veterans Affairs	The Secretary of Veterans Affairs should direct the CIO to establish a plan and time frame for completing the covered IoT inventory, as directed by OMB. (Recommendation 5)	Open When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Environmental Protection Agency	The Administrator of the Environmental Protection Agency should direct the CIO to complete the covered IoT inventory within the revised time frame it has proposed. (Recommendation 6)	Open When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Future of Cybersecurity: Leadership Needed to Fully Define Quantum Threat Mitigation Strategy

Show

1 Open Recommendations

Agency Affected	Recommendation	Status
Office of the National Cyber Director	The National Cyber Director should (1) lead the coordination of the national quantum computing cybersecurity strategy and (2) ensure that the strategy's various documents address all the desirable characteristics of a national strategy. (Recommendation 1)	Open ONCD did not agree or disagree with this recommendation and has not taken action to address it. In February 2025, ONCD stated that, although the office is open to leading the development of a National Quantum Computing Cybersecurity Strategy, this would ultimately depend on the concurrence of the new National Cyber Director. We will continue to evaluate the ONCD's progress in implementing this recommendation.

Critical Infrastructure Protection: EPA Urgently Needs a Strategy to Address Cybersecurity Risks to Water and Wastewater Systems

Show

2 Open Recommendations

Agency Affected	Recommendation	Status
Environmental Protection Agency	The Administrator of EPA should evaluate its existing legal authorities for carrying out EPA's cybersecurity responsibilities and seek any needed enhancements to such authorities from the administration and Congress. (Recommendation 3)	Open In its comments on the report, EPA stated that it concurs with this recommendation. It also said that it had already conducted a thorough examination of and provided technical assistance to Congress on existing legal authorities with respect to EPA cybersecurity responsibility. Further, the agency committed to providing a detailed explanation of its examination of legal authorities as part of the risk management plan, to be completed in 2025. Until this explanation is completed and available, however, GAO cannot assess the degree to which EPA has examined its legal authorities. GAO will continue to follow up on this recommendation.
Environmental Protection Agency	The Administrator of EPA should submit the Vulnerability Self-Assessment Tool (VSAT) for independent peer review and revise the tool as appropriate. (Recommendation 4)	Open In its comments on the report, EPA stated that it concurs with this recommendation. It said it will submit the VSAT tool for independent peer review and revise the tool as appropriate. EPA estimated the review will begin in November 2024. GAO will follow up on the status of this recommendation.

View More Recommendations

GAO Contacts

Vijay A. D'Souza

Director

Information Technology and Cybersecurity

dsouzav@gao.gov

Nick Marinos

Managing Director

Information Technology and Cybersecurity

MarinosN@gao.gov

William Russell

Director

Contracting and National Security Acquisitions

russellw@gao.gov

Jennifer Franks

Director

Information Technology and Cybersecurity

franksj@gao.gov

David (Dave) Hinchman

Director

Information Technology and Cybersecurity

HinchmanD@gao.gov

Marisol Cruz Cain

Director

Information Technology and Cybersecurity

cruzcainm@gao.gov