Skip to main content

Image

Information Security

Image

Jump To:

Open Recommendations

Cybersecurity: Selected Agencies Need to Better Protect Cloud Data

GAO-26-108443
Jun 25, 2026
Show
12 Open Recommendations
Agency Affected Recommendation Status
Department of State The Secretary of State should ensure that the agency fully implements continuous monitoring for its selected PaaS system, to include reviewing continuous monitoring deliverables from the cloud service provider. (Recommendation 1)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of State The Secretary of State should ensure that the agency fully implements incident response and recovery for its selected PaaS system, to include documenting plans or procedures for coordinating incident response and recovery with providers. (Recommendation 2)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Veterans Affairs The Secretary of Veterans Affairs should ensure that the agency fully implements continuous monitoring for its selected PaaS system, to include collecting and reviewing audit logs. (Recommendation 3)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Veterans Affairs The Secretary of Veterans Affairs should ensure that the agency fully implements continuous monitoring for its selected SaaS system, to include collecting and reviewing audit logs. (Recommendation 4)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Veterans Affairs The Secretary of Veterans Affairs should ensure that the agency fully implements incident response and recovery for its selected PaaS system, to include documenting plans or procedures for measuring and tracking incident response time. (Recommendation 5)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Veterans Affairs The Secretary of Veterans Affairs should ensure that the agency fully implements incident response and recovery for its selected SaaS system, to include documenting plans or procedures for testing incident response and recovery procedures. (Recommendation 6)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Department of Government Efficiency: Treasury Needs to Fully Implement Data Protection Controls

GAO-26-108131
Apr 28, 2026
Show
6 Open Recommendations
Agency Affected Recommendation Status
Bureau of the Fiscal Service The Secretary of the Treasury should direct the Commissioner of the Fiscal Service to update BFS policy to define the minimum screening requirements for obtaining broad access to Treasury payment system data. (Recommendation 1)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Bureau of the Fiscal Service The Secretary of the Treasury should direct the Commissioner of the Fiscal Service to update BFS policy to require employees to take IT security and privacy training before obtaining broad access to Treasury payment systems. (Recommendation 2)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Bureau of the Fiscal Service The Secretary of the Treasury should direct the Commissioner of the Fiscal Service to establish and implement a process for verifying that employees sign BFS IT security rules of behavior prior to receiving broad access to payment systems. (Recommendation 3)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Bureau of the Fiscal Service The Secretary of the Treasury should direct the Commissioner of the Fiscal Service to establish and implement a process for verifying that broad access granted to payment systems is consistent with the level approved by the authorizing official. (Recommendation 4)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Bureau of the Fiscal Service The Secretary of the Treasury should direct the Commissioner of the Fiscal Service to establish and implement processes for conducting exit interviews and obtaining signatures on post-employment documentation in cases where these cannot occur before individuals with access to payment systems leave the agency. In doing so, the Commissioner should expeditiously implement this process for the anonymized former employee discussed in this report (employee B). (Recommendation 5)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Bureau of the Fiscal Service The Secretary of the Treasury should direct the Commissioner of the Fiscal Service to either (1) configure BFS's data loss prevention tool to identify and block emails containing unencrypted payment information sent outside the agency, or (2) update BFS's process for reviewing emails with unencrypted payment information to include messages sent to other federal agencies and implement the updated process. (Recommendation 6)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Artificial Intelligence: OMB Action Needed to Address Privacy-Related Gaps in Federal Guidance

GAO-26-107681
Mar 26, 2026
Show
2 Open Recommendations
Agency Affected Recommendation Status
Office of Management and Budget The Director of OMB should specify examples of known privacy-related risks that agencies should consider when updating their policies as they pertain to AI. (Recommendation 1)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Office of Management and Budget The Director of OMB should facilitate additional information sharing or issue government-wide guidance related to:

  • how agencies should consider privacy when evaluating and auditing AI models that contain sensitive information;
  • storing data in a manner where sensitive data can be separated from the dataset;
  • clear rules, norms, and best practices with respect to privacy that agencies should use when developing AI solutions internally;
  • performance metrics agencies can use to assess privacy-related impacts when using AI;
  • actions agencies can take to ensure that members of the public who interact with their AI technologies understand what they are consenting to;
  • technological tools agencies can use to protect sensitive data when using AI;
  • incorporating AI-specific considerations into privacy impact assessments, including identifying risks and informing the public about how PII is involved in the use of AI; and
  • potential tradeoffs between privacy and performance agencies can consider when using AI. (Recommendation 2)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Defense Contractor Cybersecurity: DOD Should Address External Factors That Could Impede Program Implementation

GAO-26-107955
Mar 12, 2026
Show
1 Open Recommendations
Agency Affected Recommendation Status
Department of Defense The Secretary of Defense should ensure the DOD Chief Information Officer assesses and documents key external factors that could significantly affect the implementation of the CMMC program and develops approaches it will take to address those factors. (Recommendation 1)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

GAO Contacts