1. Share This:
2.  
3.  
4.  
5.  

Federal agencies and our nation’s critical infrastructures—such as energy, transportation systems, communications, and financial services—are dependent on information technology (IT) systems and electronic data to carry out operations and to process, maintain, and report essential information. The security of these systems and data is vital to public confidence and national security, prosperity, and well-being.

Because many of these systems contain vast amounts of personally identifiable information (PII), agencies must protect the confidentiality, integrity, and availability of this information. In addition, they must effectively respond to data breaches and security incidents when they occur.

The risks to IT systems supporting the federal government and the nation’s critical infrastructure are increasing, including insider threats from witting or unwitting employees, escalating and emerging threats from around the globe, and the emergence of new and more destructive attacks.

We have designated information security as a government-wide high-risk area since 1997. We expanded this high-risk area in 2003 to include protection of critical cyber infrastructure and, in 2015, to include protecting the privacy of PII.

Since our previous 2017 High-Risk Report, our assessment of efforts to address all five criteria remains unchanged.

Leadership commitment: met. In May 2017, the President issued an executive order requiring federal agencies to take a variety of actions, including better managing their cybersecurity risks and coordinating to meet reporting requirements related to cybersecurity of federal networks and critical infrastructure. Further, in December 2017, the President issued a National Security Strategy citing cybersecurity as a national priority and identifying needed actions, such as identifying and prioritizing risk and building defensible government networks.

The administration further described its planned approach to cybersecurity with the release of a National Cyber Strategy in September 2018. This national strategy outlines activities such as securing critical infrastructure, federal networks, and associated information, as well as developing the cybersecurity workforce. To lead the nation’s cybersecurity response activities, in November 2018, the President signed the Cybersecurity and Infrastructure Security Agency Act of 2018 into law. Among other things, the law enables the Department of Homeland Security (DHS) to restructure the existing cybersecurity components within the National Protection and Programs Directorate to create a new cyber-focused agency.

Capacity: partially met. In June 2018, the administration issued a government-wide reform plan and reorganization recommendations that included, among other things, proposals for solving the federal cybersecurity workforce shortage. In particular, the plan notes the administration’s intent to prioritize and accelerate ongoing efforts to reform the way that the federal government recruits, evaluates, selects, pays, and places cyber talent. The plan further states that, by the end of the first quarter of fiscal year 2019, all 24 major federal agencies, in coordination with DHS and the Office of Management and Budget (OMB), are to develop a critical list of vacancies across their organizations.

Nevertheless, the federal government continues to face challenges in ensuring that the nation’s cybersecurity workforce has the appropriate skills. For example, we have previously reported that DHS and the Department of Defense had not fully addressed cybersecurity workforce management requirements set forth in federal laws. Further, as of June 2018, most of the 24 major federal agencies had not fully implemented all requirements associated with the Federal Cybersecurity Workforce Assessment Act of 2015. For example, three agencies had not conducted a baseline assessment to identify the extent to which their cybersecurity employees held professional certifications. As a result, these agencies may not be able to effectively gauge the competency of individuals who are charged with ensuring the confidentiality, integrity, and availability of federal information and information systems.

Action plan: partially met. In response to the May 2017 presidential executive order, DHS issued a cybersecurity strategy in May 2018 that articulated seven goals the department plans to accomplish in support of its mission related to managing national cybersecurity risks over the next 5 years. Further, OMB issued the Federal Cybersecurity Risk Assessment and Action Plan in August 2018. The assessment stated that OMB and DHS examined the capabilities of 96 civilian agencies across 76 cybersecurity metrics and found that 71 agencies had cybersecurity programs that were either at risk or at high risk. The assessment also stated that agencies were not equipped to determine how malicious actors seek to gain access to their information systems and data. The assessment identified core actions to address cybersecurity risks across the federal enterprise.

Additionally, the September 2018 National Cyber Strategy outlined the administration’s approach to cybersecurity through a variety of priority actions, such as centralizing management and oversight of federal civilian cybersecurity. However, the strategy lacks key elements that we have previously reported can enhance the usefulness of a national strategy, including clearly defined roles and responsibilities, and information on the resources needed to carry out the goals and objectives. Although the strategy states that National Security Council staff are to coordinate with departments, agencies, and OMB to determine the resources needed to support the strategy’s implementation, it is unclear what official maintains overall responsibility for coordinating these efforts, especially in light of the elimination of the White House Cybersecurity Coordinator position in May 2018.¹

Going forward, it will be critical for the White House to clearly define the roles and responsibilities of key agencies and officials in order to foster effective coordination and hold agencies accountable for carrying out planned activities to address the cybersecurity challenges facing the nation. We have work underway examining federal roles and responsibilities for protecting the nation against cyber threats, including the implications of the decision to eliminate the cybersecurity coordinator position. We expect to report on the results of our work by the end of fiscal year 2019.

Monitoring: partially met. DHS has established the National Cybersecurity and Communications Integration Center (NCCIC), which functions as the 24/7 cyber monitoring, incident response, and management center for the federal civilian government. The United States Computer Emergency Readiness Team, one of several subcomponents of the NCCIC, is responsible for operating the National Cybersecurity Protection System. Operationally known as Einstein, this system is intended to provide DHS with situational awareness related to cybersecurity of entities across the federal government, through intrusion detection and prevention capabilities.

Nevertheless, DHS has continued to be challenged in measuring how the NCCIC is performing its functions in accordance with mandated implementing principles. For example, NCCIC is to provide timely technical assistance, risk management support, and incident response capabilities to federal and nonfederal entities; however, as of December 2018, it had not established measures or other procedures for ensuring the timeliness of these assessments, as we previously recommended.

We also continued to find persistent weaknesses in federal agencies’ monitoring of their information security programs. The Federal Information Security Modernization Act of 2014 (and its predecessor the Federal Information Security Management Act of 2002) requires federal agencies in the executive branch to develop, document, and implement an information security program and evaluate it for effectiveness. Our numerous security control audits have identified hundreds of deficiencies related to agencies’ implementation of effective security controls.

Demonstrated progress: partially met. Since 2010, we have made over 3,000 recommendations to agencies aimed at addressing cybersecurity challenges facing the government—448 of which were made since the last high-risk update in February 2017. Nevertheless, many agencies face challenges in safeguarding their information systems and information, in part because many of these recommendations have not been fully implemented. Of the roughly 3,000 recommendations made since 2010, nearly 700 had not been fully implemented as of December 2018. We have also designated 35 as priority recommendations, meaning that we believe these recommendations warrant priority attention from heads of key departments and agencies. As of December 2018, 26 of our priority recommendations had not been fully implemented.

[1] The White House Cybersecurity Coordinator position was created in December 2009 to, among other things, coordinate interagency cybersecurity policies and strategies, and to develop a comprehensive national strategy to secure the nation’s digital infrastructure.

Based on our prior work, we have identified four major cybersecurity challenges: (1) establishing a comprehensive cybersecurity strategy and performing effective oversight, (2) securing federal systems and information, (3) protecting cyber critical infrastructure, and (4) protecting privacy and sensitive data. To address these challenges, we have identified 10 critical actions that the federal government and other entities need to take (see figure 12).

Ten Critical Actions Needed to Address Four Major Cybersecurity Challenges

Congressional Actions Needed

We also have previously suggested that Congress consider amending laws, such as the Privacy Act of 1974 and the E-Government Act of 2002, because they may not consistently protect PII. Specifically, we found that while these laws and guidance set minimum requirements for agencies, they may not consistently protect PII in all circumstances of its collection and use throughout the federal government, and may not fully adhere to key privacy principles. However, the relevant revisions to the Privacy Act and the E-Government Act had not yet been enacted as of the date of this report.

Further, we suggested that Congress consider strengthening the consumer privacy framework and review issues such as the adequacy of consumers’ ability to access, correct, and control their personal information; and privacy controls related to new technologies such as web tracking and mobile devices. However, these suggested changes had not yet been enacted as of the date of this report.

Recommended Links

• Cybersecurity