Protecting the Federal Government's Information Systems and the Nation's Cyber Critical Infrastructures

What We Found | What Needs to Be Done | Key Reports

Why It's High Risk

Information Security

Federal agencies and our nation's critical infrastructures—such as power distribution, water supply, telecommunications, national defense, and emergency services— rely extensively on computerized information systems and electronic data to carry out their operations. The security of these systems and data is essential to preventing disruptions in critical operations, fraud, and inappropriate disclosure of sensitive information and to protecting national and economic security, and public health and safety. Safeguarding federal computer systems and the systems that support critical infrastructures—referred to as cyber critical infrastructure protection, or cyber CIP—is a continuing concern.

GAO has designated federal information security as high risk since 1997 and expanded this area to include cyber CIP in 2003. The continued risks to information systems and cyber critical infrastructure include

  • insider threats from disaffected or careless employees and business partners,
  • escalating and emerging threats from around the globe,
  • the ease of obtaining and using hacking tools,
  • the steady advance in the sophistication of attack technology, and
  • the emergence of new and more destructive attacks.

^ Back to topWhat We Found

The administration and executive branch agencies (including the Department of Homeland Security (DHS)) continue to improve the security of federal systems, better protect cyber-reliant critical infrastructures, and strengthen the nation's security posture. However, the administration and executive branch agencies continue to experience significant deficiencies that jeopardize the nation's cyber critical infrastructure and federal systems and information.

The administration and executive branch agencies have not yet fully implemented key actions that are intended to address threats and improve the current U.S. approach to cybersecurity, such as:

  • updating the national strategy for securing the information and communications infrastructure,
  • developing a comprehensive national strategy for addressing global cybersecurity and governance,
  • creating a prioritized national and federal research and development agenda for improving cybersecurity,
  • implementing the near- and mid-term actions recommended by the cybersecurity policy review directed by the president,
  • enhancing cyber analytical and technical capabilities to protect against cyber threats,
  • strengthening the effectiveness of the public-private sector partnerships in securing cyber critical infrastructure, and
  • overcoming shortcomings and challenges associated with the implementation of several of the governmentwide security initiatives.

Further, agencies have not consistently implemented effective controls to prevent, limit, and detect unauthorized access or manage the configuration of network devices to prevent unauthorized access and ensure system integrity.

Agencies also have not yet fully or effectively implemented an agencywide information security program.

^ Back to topWhat Needs to Be Done

Federal efforts are needed to

  • update and implement national strategies and plans for securing cyber critical infrastructures
    GAO-11-24  GAO-10-606
  • address global cybersecurity and governance
    GAO-10-606
  • prioritize cybersecurity research and development, and
    GAO-10-466
  • complete near- and mid-term cybersecurity actions recommended by a presidentially-directed review.
    GAO-11-24

Additionally, executive branch agencies, in particular DHS, need to

  • improve and expand their cyber analytical and technical capabilities,
    GAO-08-588
  • demonstrate progress in strengthening the effectiveness of public-private sector partnerships in securing cyber critical infrastructures, and
    GAO-10-628
  • expand oversight of federal agencies' implementation of information security.
    GAO-11-43   GAO-10-872T   GAO-10-513   GAO-10-202   GAO-10-237

To enhance security over federal systems and information, agencies need to

  • develop and implement remedial action plans for resolving known security deficiencies of government systems,
    GAO-11-20   GAO-10-513
  • fully develop and effectively implement agencywide information security programs, as required by the Federal Information Security Management Act of 2002 and
    GAO-11-20   GAO-10-834T
  • demonstrate measurable, sustained progress in improving security over federal systems.

^ Back to topKey Reports

Information Security

Federal Agencies Have Taken Steps to Secure Wireless Networks, but Further Actions Can Mitigate Risk
GAO-11-43, Nov 30, 2010

Cyberspace Policy

Executive Branch Is Making Progress Implementing 2009 Policy Review Recommendations, but Sustained Leadership Is Needed
GAO-11-24, Oct 6, 2010

Information Security

Progress Made on Harmonizing Policies and Guidance for National Security and Non-National Security Systems
GAO-10-916, Sep 15, 2010

Critical Infrastructure Protection

Key Private and Public Cyber Expectations Need to Be Consistently Addressed
GAO-10-628, Jul 15, 2010

Cyberspace

United States Faces Challenges in Addressing Global Cybersecurity and Governance
GAO-10-606, Jul 2, 2010

Information Management

Challenges In Federal Agencies' Use of Web 2.0 Technologies
GAO-10-872T, Jul 22, 2010

Cybersecurity

Key Challenges Need to Be Addressed to Improve Research and Development
GAO-10-466, Jun 3, 2010

Information Security

Federal Guidance Needed to Address Control Issues with Implementing Cloud Computing
GAO-10-513, May 27, 2010

Cybersecurity

Continued Attention Is Needed to Protect Federal Information Systems from Evolving Threats
GAO-10-834T, Jun 16, 2010

Information Security

Concerted Effort Needed to Consolidate and Secure Internet Connections at Federal Agencies
GAO-10-237, Mar 12, 2010

Information Security

Agencies Need to Implement Federal Desktop Core Configuration Requirements
GAO-10-202, Mar 12, 2010

Cybersecurity

Progress Made but Challenges Remain in Defining and Coordinating the Comprehensive National Initiative
GAO-10-338, Mar 5, 2010
More Reports More Results Toggle
GAO Contact
portrait of David Powner

David Powner

Director, Information Technology

pownerd@gao.gov

(202) 512-9286

portrait of Gregory C. Wilshusen

Gregory C. Wilshusen

Director, Information Technology

wilshuseng@gao.gov

(202) 512-6244