Published on January 20th, 2023 📆 | 6928 Views ⚑
0Majority of GAO’s Cyber Recommendations Since 2010 Have Gone Unresolved
The Government Accountability Office said in a report on Thursday that federal agencies have not implemented almost 60% of the cybersecurity recommendations issued by the watchdog since 2010, potentially undermining their ability to safeguard sensitive information.Â
The reportâwhich GAO said is âthe first in a series of four reports that lay out the main cybersecurity areas the federal government should urgently addressââfound that approximately 190 of the watchdogâs 335 recommendations had not been put in place as of December 2022. GAO warned that âuntil these are fully implemented, federal agencies will be more limited in their ability to protect private and sensitive data entrusted to them.â
To enhance agenciesâ cybersecurity practices and protocols, GAO said that the Biden administration should work to implement a âcomprehensive national cybersecurity strategyâ that includes robust oversight and addresses the full range of âdesirable characteristics of national strategies.âÂ
âUntil the federal government fully develops and implements a comprehensive national strategy, it will not have a clear roadmap for overcoming the cyber challenges facing our nation,â GAO said.Â
The Trump administration previously issued a national cybersecurity strategy in 2018 and an implementation plan in 2019, which GAO noted in a September 2020 report âaddressed some, but not all, of the desirable characteristics of national strategies,â including resources, investments and risk management.
The Biden administration is reportedly planning to unveil its own national cybersecurity strategy in the coming weeks, and GAO said that the White House should work to ensure that it âaddresses those characteristicsâ missing from the Trump-era strategy.Â
The report also said that federal agencies âneed to fully implement all of the foundational practices for supply chain risk managementâ to help mitigate global supply chain risks, noting that a December 2020 GAO review of 23 civilian agencies âfound that none had fully implemented all of the seven foundational practices for supply chain risk management and that 14 had not implemented any of the practices.â
GAO also identified deficiencies in agenciesâ efforts to implement reforms âthat prioritized solving the cybersecurity workforce shortage by identifying and closing workforce skills gaps and developing a standardized approach to hiring, training and retaining qualified cybersecurity professionals.â
The report noted, in particular, that the Office of Management and Budget and the Department of Homeland Security have only partially addressed recommendations regarding their cyber workforce challenges, and have ânot established a dedicated implementation team or a government-wide implementation plan.â
âWithout these practices in place, OMB and DHS will likely be unable to make significant progress towards solving the cybersecurity workforce shortage,â GAO said.
Additionally, GAO called for agencies to âtake action to better secure internet-connected devices,â noting that âthe nationâs critical infrastructure sectors rely on electronic systems, including Internet of Things (IoT) and operational technology (OT) devices and systems.â
The report cited a December 2022 GAO review, which said that the Departments of Energy, Health and Human Services, Homeland Security and Transportation âhad cybersecurity initiatives underway intended to help protect three critical infrastructure sectors with extensive use of IoT or OT devices and systems,â but found that ânone of the lead agencies had developed metrics to assess the effectiveness of their efforts.âÂ
GAO also said that cybersecurity concerns surrounding other emerging technologiesâsuch as artificial intelligence and quantum computingâmean that the governmentâs oversight âwill need to evolveâ moving forward to keep pace with potential new threats.
Gloss