Widespread Cybersecurity Risk Management Failures at Federal Agencies Identified by GAO

Government Accountability Office (GAO)

The Government Accountability Office (GAO) has completed a research study of 23 federal bodies and found widespread cybersecurity risk management weaknesses.

Federal agencies are targeted by hackers, so it is crucial for security measures to be put in place to safeguard against those threats. Federal legislation requires government agencies to implement a risk-based approach to cybersecurity to identify, prioritize, and manage cybersecurity dangers.

The GAO was asked to carry out its review to see if federal agencies had established the key elements of a cybersecurity risk management program, what hurdles were faced when developing those programs, and what measures had been taken by the Department of Homeland Security (DHS) and the Office of Management and Budget (OMB) to address their duties in relation to addressing cybersecurity challenges faced by federal agencies.

The study showed that all but one (22) federal agency had hired a cybersecurity risk executive, but other important elements of the risk management program had not been incorporated at many of the agencies reviewed as part of the study.

There were flaws in the development of a cybersecurity risk management strategy. 16 agencies had not fully completed and put in place a cybersecurity risk management strategy which delineated the boundaries for risk-based decisions. 17 agencies had not fully implemented and formulated an agency-wide and system-level plan for assessing, monitoring, and responding to cybersecurity risks. A process for assessing agency-wide cybersecurity risks based on an aggregation of system-level risks had not been set up at 11 agencies. 13 agencies had not created a process for coordinating between cybersecurity and ERM programs for managing all major threats.

Until policies and procedures are amended and the security failures are tackled, federal bodies will face a heightened risk of experiencing cyberattacks that threaten the national security of the United States and personal privacy.

GAO made 58 recommendations that all bodies should incorporate into their risk management strategy, including specific recommendations for certain agencies.

Federal agencies have faced several obstacles assessing and managing cybersecurity dangers. The main challenge was hiring and retaining key cybersecurity management personnel, which was cited as an issue for all 23 agencies.

Dealing with competing priorities between operations and cybersecurity, creating and implementing consistent policies and procedures, formulating and implementing standardized technology capabilities, and receiving quality risk data were also common issues.

GAO has recommended that the DHS and OMB develop processes for sharing best practices and successful methods for tackling some of the common challenges faced when implementing consistent cybersecurity risk management practices to make sure those challenges can be overcome quickly and security posture at all of the federal agencies is rapidly enhanced.