GAO Discovers Widespread Cybersecurity Risk Management Failures at Federal Agencies

The Government Accountability Office (GAO) conducted a study of 23 federal agencies and found widespread cybersecurity risk management failures.

Federal agencies are targeted by cybercriminals, so it is essential for safeguards to be implemented to protect against those threats. Federal law requires government agencies to adopt a risk-based approach to cybersecurity to identify, prioritize, and manage cybersecurity risks.

The GAO was asked to conduct its review to determine whether federal agencies had established the key elements of a cybersecurity risk management program, what challenges were faced when developing those programs, and what steps had been taken by the Department of Homeland Security (DHS) and the Office of Management and Budget (OMB) to address their responsibilities with respect to addressing cybersecurity challenges faced by federal agencies.

The study revealed all but one (22) federal agency had appointed a cybersecurity risk executive, but other important elements of the risk management program had not been incorporated at many of the agencies assessed for the study.

There were deficiencies in the development of a cybersecurity risk management plan. 16 agencies had not fully established a cybersecurity risk management strategy which delineated the boundaries for risk-based decisions. 17 agencies had not fully established an agency-wide and system-level plan for assessing, monitoring, and responding to cybersecurity risks. A process for assessing agency-wide cybersecurity risks based on an aggregation of system-level risks had not been established at 11 agencies. 13 agencies had not established a process for coordinating between cybersecurity and ERM programs for managing all major risks.

Until policies and procedures are changed and the security failures are addressed, federal agencies will face an elevated risk of experiencing cyberattacks that threaten the national security of the United States and personal privacy.

GAO made 58 recommendations that all agencies should incorporate into their risk management processes, including specific recommendations for certain agencies.

Federal agencies have faced several challenges assessing and managing cybersecurity risks. The main challenge was hiring and retaining key cybersecurity management personnel, which was cited as a problem by all 23 agencies.

Managing competing priorities between operations and cybersecurity, establishing and implementing consistent policies and procedures, establishing and implementing standardized technology capabilities, and receiving quality risk data were also common problems.

GAO has recommended that the DHS and OMB develop methods for sharing best practices and successful methods for addressing some of the common challenges faced when implementing consistent cybersecurity risk management practices to ensure those challenges can be overcome quickly and security posture at all of the federal agencies is rapidly improved.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.