Blog

GAO Report: Critical Cybersecurity Challenges and Federal Recommendations

Written by Bola Ogbara | Jun 21, 2024 2:01:37 PM

The GAO's latest report on US cybersecurity identifies four major challenges and offers ten actions to solve them. 

On June 13, 2024, the U.S. Government Accountability Office (GAO) released a report sharing the major cybersecurity challenges in the nation, as well as critical actions that can be taken to address them. 

 

The GAO has a long history of offering guidance on the nation’s cybersecurity weaknesses. Since 2010, GAO has made 1,610 recommendations on the area. While 1,043 of those recommendations have been successfully applied across federal agencies, “567 remain[ed] unimplemented as of May 2024.” These unused recommendations likely had an important role in the 30,659 information technology security incidents federal agencies reported in fiscal year 2022. In hopes of curbing the astounding number of IT security incidents in FY 2023, the report identifies “four major cybersecurity challenges and 10 associated critical actions”: 

 

1. Establishing a comprehensive cybersecurity strategy and performing effective oversight

According to GAO, the National Cybersecurity Strategy and the corresponding implementation plan “addressed some, but not all, of the desirable characteristics of a national strategy.” This evaluation may be a little different now with the recent release of version two of the implementation plan, but the GAO points out there are also many risks unaddressed by the federal government’s oversight, particularly in supply change management, the cyber workforce and AI use. 170 out of 396 (43%) recommendations the GAO has made in these areas have not yet been implemented, but there are four actions to meet this challenge. 

Actions: 

      • Develop and execute a more comprehensive federal strategy for national cybersecurity and global cyberspace. 
      • Mitigate global supply chain risks by preventing the installation of malicious software or hardware. 
      • Address cybersecurity workforce management challenges. 
      • Bolster the security of emerging technologies, like AI. 

 

2. Securing federal systems and information

Many agencies have limited information security and cybersecurity incident preparedness. Only eight out of 23 civilian agencies subject to the Chief Financial Officers Act of 1990 received an effective rating for their information security programs in the last six years. GAO’s 2023 December report also found that only three out of 23 agencies had completely established event logging capabilities. All in all, 221 of 839 (26%) of recommendations to secure federal systems and information have not been implemented. The GOA provided three actions to counter this lack.

Actions: 

      • Improve up-take of government-wide cybersecurity initiative
      • Address vulnerabilities in federal agency information security programs
      • Elevate the federal response to cyber incidents

 

3. Protecting the cybersecurity of critical infrastructure

Though the U.S. is dependent on our 16 critical infrastructure sectors, the GAO found that this group had the highest percentage of unimplemented recommendations, at 51% (64 out of 126). Only four critical infrastructure sectors (healthcare and public health, transportation systems, energy, and critical manufacturing) “reported almost half of all ransomware attacks'', but they “had not determined the extent of their adoption of leading practices to address ransomware.” GAO asked CISA to help with coordination between federal agencies, but says that “the recommendations have not yet been implemented.” There is only one action item for this challenge.

Actions:

      • Strengthen the federal role in protecting the cybersecurity of critical infrastructure like the electricity grid and telecommunications networks.

 

4. Protecting privacy and sensitive data

GAO discovered that federal agencies often have issues protecting private and sensitive data. For example, GAO reported in August 2023 that the IRS has an incomplete inventory of systems that store sensitive taxpayer information. Another report also noted that “there remains no comprehensive U.S. internet privacy law governing private companies’ collection, use, or sale of internet users’ data”, which is concerning. The GAO suggests two actions for this challenge. 

Actions:

      • Improve federal efforts to protect privacy and sensitive data. 
      • Limit the collection and use of personal information and confirm that it is obtained with appropriate knowledge or consent.

 

The GAO’s report paints a clear picture: the US faces serious cybersecurity challenges. From outdated strategies to a lack of trained professionals, these vulnerabilities expose our government systems, critical infrastructure, and even our personal data. Their 10 actions are a great first step to improving cybersecurity posture for federal agencies which are behind on meeting their GAO recommendations.