Federal agencies are failing to adequately address cybersecurity risks, jeopardizing not only the operations of the federal government and its agencies but also the personal information of U.S. citizens, according to a new audit by the Government Accountability Office.
The report, called Urgent Actions Needed to Address Cybersecurity Challenges Facing the Nation, notes that of the more than 3,000 recommendations the agency issued since 2010, 1,000 have not been implemented as of August. In addition, 31 of 35 priority recommendations also haven’t been addressed.
Many relate to the systems and structures the agencies need to implement in order to stave off security breaches and, if they occur, to respond as quickly as possible. The audit was conducted from February to September.
Citing the “inconsistent” security over IT systems and data, the report states, “The federal government needs to implement a more comprehensive cybersecurity strategy and improve its oversight, including maintaining a qualified cybersecurity workforce; address security weaknesses in federal systems and information and enhance cyber incident response efforts; bolster the protection of cyber critical infrastructure; and prioritize efforts to protect individual’s privacy and PII.” (PII refers to personally identifiable information.)
The audit cites multiple agencies for various failures relating to cybersecurity protections, including the Department of Homeland Security as well as the Securities and Exchange Commission, Internal Revenue Service, Federal Deposit Insurance Corp., the Center for Medicare and Medicaid Services (CMS) and the Department of Education’s Office of Federal Student Aid. In many cases, the GAO had issued recommendations previously, but even if the agency agreed with the recommendations — and sometimes they didn’t — they still failed to implement them.
“Until our recommendations are addressed and actions are taken to address the four challenges we identified, the federal government, the national critical infrastructure, and the personal information of U.S. citizens will be increasingly susceptible to the multitude of cyber-related threats that exist,” the report concludes.
Examples of agencies’ failings concerning cybersecurity include:
- SEC not always maintaining complete or accurate security plans or implementing continuous monitoring, as required by its own policy
- IRS failing to update some system security plans
- FDIC failing to insure that major security incidents can be identified and reported in a timely manner, a recommendation of its own Inspector General report
- CMS not implementing two of three procedures to oversee the security of state-based marketplaces
- DOE’s Office of Federal Student Aid failing to adequately oversee the information security programs of its school partners
The report also noted “limited efforts” by the Office of Management and Budget to reduce the use of Social Security numbers by government agencies despite the fact that millions of Social Security numbers had been stolen in the Equifax breach in 2017 and the breach of the Office of Personnel Management in 2017.
The GAO plans to issue an assessment of this high-risk area in February 2019.