Most Federal Agencies Ignored GAO’s Cybersecurity Recommendations

Nearly 60% of the cybersecurity recommendations made by the US Government Accountability Office (GAO) since 2010 have yet to be implemented by federal agencies.

The Office unveiled the figures in a release last Thursday, adding that out of 335 public recommendations, 190 still needed to be implemented.

“Until these are fully implemented, federal agencies will be more limited in their ability to protect private and sensitive data entrusted to them,” GAO wrote.

According to the Office, the September 2018 National Cyber Strategy and the National Security Council’s accompanying June 2019 Implementation Plan released by the White House addressed some of the characteristics of national strategies but not all of them.

Specifically, GAO explained that purpose, scope and methodologies processes were implemented alongside organizational roles, responsibilities and coordination operations. Integration and implementation efforts had also been acknowledged.

However, the strategy still needs to address goals, subordinate objectives, activities and performance measures. Resources, investments and risk management operations still need to be implemented.

“Federal agencies face numerous information and communications technology (ICT) supply chain risks, which could lead to disrupted mission operations, theft of intellectual property, and harm to individuals,” GAO wrote.

“In December 2020, our review of 23 civilian agencies found that none had fully implemented all of the seven foundational practices for supply chain risk management and that 14 had not implemented any of the practices.”

The Office also made several recommendations to address continuing cybersecurity workforce challenges, which include developing a government-wide workforce plan with supporting practices.

“Government-wide leadership responsibility for cyber workforce issues transitioned in 2022 from [the Office of Management and Budget] and [the Department of Homeland Security] to the Office of the National Cyber Director. The Office has committed to developing a national strategy that addresses key issues.”

The GAO report also looked at Internet of Things (IoT) initiatives by the Departments of Energy, Health and Human Services, Homeland Security and Transportation. It concluded that none of them developed metrics to assess their efforts to mitigate sector risks or conducted IoT and OT cybersecurity risk assessments.

Finally, GAO looked at quantum technologies and called for governmental agencies to step up efforts in developing cybersecurity mitigation strategies looking at these new tools.

In this regard, US President Joe Biden signed the Quantum Computing Cybersecurity Preparedness Act into law in December 2022.