Widespread Cybersecurity Risk Management Failures at Federal Agencies Identified by GAO

by | Aug 21, 2019

The Government Accountability Office (GAO) has completed a research study of 23 federal bodies and found widespread cybersecurity risk management weaknesses.

Federal agencies are targeted by hackers, so it is crucial for security measures to be put in place to safeguard against those threats. Federal legislation requires government agencies to implement a risk-based approach to cybersecurity to identify, prioritize, and manage cybersecurity dangers.

The GAO was asked to carry out its review to see if federal agencies had established the key elements of a cybersecurity risk management program, what hurdles were faced when developing those programs, and what measures had been taken by the Department of Homeland Security (DHS) and the Office of Management and Budget (OMB) to address their duties in relation to addressing cybersecurity challenges faced by federal agencies.

The study showed that all but one (22) federal agency had hired a cybersecurity risk executive, but other important elements of the risk management program had not been incorporated at many of the agencies reviewed as part of the study.

There were flaws in the development of a cybersecurity risk management strategy. 16 agencies had not fully completed and put in place a cybersecurity risk management strategy which delineated the boundaries for risk-based decisions. 17 agencies had not fully implemented and formulated an agency-wide and system-level plan for assessing, monitoring, and responding to cybersecurity risks. A process for assessing agency-wide cybersecurity risks based on an aggregation of system-level risks had not been set up at 11 agencies. 13 agencies had not created a process for coordinating between cybersecurity and ERM programs for managing all major threats.

Until policies and procedures are amended and the security failures are tackled, federal bodies will face a heightened risk of experiencing cyberattacks that threaten the national security of the United States and personal privacy.

GAO made 58 recommendations that all bodies should incorporate into their risk management strategy, including specific recommendations for certain agencies.

Federal agencies have faced several obstacles assessing and managing cybersecurity dangers. The main challenge was hiring and retaining key cybersecurity management personnel, which was cited as an issue for all 23 agencies.

Dealing with competing priorities between operations and cybersecurity, creating and implementing consistent policies and procedures, formulating and implementing standardized technology capabilities, and receiving quality risk data were also common issues.

GAO has recommended that the DHS and OMB develop processes for sharing best practices and successful methods for tackling some of the common challenges faced when implementing consistent cybersecurity risk management practices to make sure those challenges can be overcome quickly and security posture at all of the federal agencies is rapidly enhanced.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy