Federal agencies and other entities need to take urgent actions to implement a comprehensive cybersecurity strategy, perform effective oversight, secure federal systems, and protect cyber critical infrastructure, privacy, and sensitive data.

Since our previous 2017 High-Risk Report, our assessment of efforts to address all five criteria remains unchanged.

Leadership commitment: met. In May 2017, the President issued an executive order requiring federal agencies to take a variety of actions, including better managing their cybersecurity risks and coordinating to meet reporting requirements related to cybersecurity of federal networks and critical infrastructure. Further, in December 2017, the President issued a National Security Strategy citing cybersecurity as a national priority and identifying needed actions, such as identifying and prioritizing risk and building defensible government networks.

The administration further described its planned approach to cybersecurity with the release of a National Cyber Strategy in September 2018. This national strategy outlines activities such as securing critical infrastructure, federal networks, and associated information, as well as developing the cybersecurity workforce. To lead the nation’s cybersecurity response activities, in November 2018, the President signed the Cybersecurity and Infrastructure Security Agency Act of 2018 into law. Among other things, the law enables the Department of Homeland Security (DHS) to restructure the existing cybersecurity components within the National Protection and Programs Directorate to create a new cyber-focused agency.

Capacity: partially met. In June 2018, the administration issued a government-wide reform plan and reorganization recommendations that included, among other things, proposals for solving the federal cybersecurity workforce shortage. In particular, the plan notes the administration’s intent to prioritize and accelerate ongoing efforts to reform the way that the federal government recruits, evaluates, selects, pays, and places cyber talent. The plan further states that, by the end of the first quarter of fiscal year 2019, all 24 major federal agencies, in coordination with DHS and the Office of Management and Budget (OMB), are to develop a critical list of vacancies across their organizations.

Nevertheless, the federal government continues to face challenges in ensuring that the nation’s cybersecurity workforce has the appropriate skills. For example, we have previously reported that DHS and the Department of Defense had not fully addressed cybersecurity workforce management requirements set forth in federal laws. Further, as of June 2018, most of the 24 major federal agencies had not fully implemented all requirements associated with the Federal Cybersecurity Workforce Assessment Act of 2015. For example, three agencies had not conducted a baseline assessment to identify the extent to which their cybersecurity employees held professional certifications. As a result, these agencies may not be able to effectively gauge the competency of individuals who are charged with ensuring the confidentiality, integrity, and availability of federal information and information systems.

Action plan: partially met. In response to the May 2017 presidential executive order, DHS issued a cybersecurity strategy in May 2018 that articulated seven goals the department plans to accomplish in support of its mission related to managing national cybersecurity risks over the next 5 years. Further, OMB issued the Federal Cybersecurity Risk Assessment and Action Plan in August 2018. The assessment stated that OMB and DHS examined the capabilities of 96 civilian agencies across 76 cybersecurity metrics and found that 71 agencies had cybersecurity programs that were either at risk or at high risk. The assessment also stated that agencies were not equipped to determine how malicious actors seek to gain access to their information systems and data. The assessment identified core actions to address cybersecurity risks across the federal enterprise.

Additionally, the September 2018 National Cyber Strategy outlined the administration’s approach to cybersecurity through a variety of priority actions, such as centralizing management and oversight of federal civilian cybersecurity. However, the strategy lacks key elements that we have previously reported can enhance the usefulness of a national strategy, including clearly defined roles and responsibilities, and information on the resources needed to carry out the goals and objectives. Although the strategy states that National Security Council staff are to coordinate with departments, agencies, and OMB to determine the resources needed to support the strategy’s implementation, it is unclear what official maintains overall responsibility for coordinating these efforts, especially in light of the elimination of the White House Cybersecurity Coordinator position in May 2018.

Going forward, it will be critical for the White House to clearly define the roles and responsibilities of key agencies and officials in order to foster effective coordination and hold agencies accountable for carrying out planned activities to address the cybersecurity challenges facing the nation. We have work underway examining federal roles and responsibilities for protecting the nation against cyber threats, including the implications of the decision to eliminate the cybersecurity coordinator position. We expect to report on the results of our work by the end of fiscal year 2019.

Monitoring: partially met. DHS has established the National Cybersecurity and Communications Integration Center (NCCIC), which functions as the 24/7 cyber monitoring, incident response, and management center for the federal civilian government. The United States Computer Emergency Readiness Team, one of several subcomponents of the NCCIC, is responsible for operating the National Cybersecurity Protection System. Operationally known as Einstein, this system is intended to provide DHS with situational awareness related to cybersecurity of entities across the federal government, through intrusion detection and prevention capabilities.

Nevertheless, DHS has continued to be challenged in measuring how the NCCIC is performing its functions in accordance with mandated implementing principles. For example, NCCIC is to provide timely technical assistance, risk management support, and incident response capabilities to federal and nonfederal entities; however, as of December 2018, it had not established measures or other procedures for ensuring the timeliness of these assessments, as we previously recommended.

We also continued to find persistent weaknesses in federal agencies’ monitoring of their information security programs. The Federal Information Security Modernization Act of 2014 (and its predecessor the Federal Information Security Management Act of 2002) requires federal agencies in the executive branch to develop, document, and implement an information security program and evaluate it for effectiveness. Our numerous security control audits have identified hundreds of deficiencies related to agencies’ implementation of effective security controls.

Demonstrated progress: partially met. Since 2010, we have made over 3,000 recommendations to agencies aimed at addressing cybersecurity challenges facing the government—448 of which were made since the last high-risk update in February 2017. Nevertheless, many agencies face challenges in safeguarding their information systems and information, in part because many of these recommendations have not been fully implemented. Of the roughly 3,000 recommendations made since 2010, nearly 700 had not been fully implemented as of December 2018. We have also designated 35 as priority recommendations, meaning that we believe these recommendations warrant priority attention from heads of key departments and agencies. As of December 2018, 26 of our priority recommendations had not been fully implemented.

[1] The White House Cybersecurity Coordinator position was created in December 2009 to, among other things, coordinate interagency cybersecurity policies and strategies, and to develop a comprehensive national strategy to secure the nation’s digital infrastructure.

This information is from GAO’s 2019 High Risk Report. This report is updated every two years, at the start of each new Congress, and as needed. Read More