Agencies Still Falling Short on Cyber Standards, GAO Says

Many major federal agencies are dropping the ball when it comes to basic cybersecurity practices despite thousands of watchdog recommendations and an expanding array of digital threats, according to the Government Accountability Office.

Last year, federal auditors revealed that most agencies don’t understand the cybersecurity risks they face, and even fewer have put in place sufficient safeguards to defend against those threats, GAO said in a report published Friday. Many also lack proper policies for responding to intrusions and recovering from attacks, according to auditors.

The report, which summarizes numerous assessments from GAO and agency inspectors general, highlight the government’s long-standing struggle to translate IT security from paper to practice.

“IT systems are often riddled with security vulnerabilities,” auditors wrote in the report. “These vulnerabilities can facilitate security incidents and cyberattacks that disrupt critical operations; lead to inappropriate access to and disclosure, modification, or destruction of sensitive information; and threaten national security, economic well-being, and public health and safety.”

The government faced more than 31,000 cyber incidents in 2018, according to GAO, and that figure is likely to rise amid escalating tensions with global powers like China, Iran and Russia. But as U.S. officials explore strategies to defend against evolving digital threats, federal agencies are still struggling to put in place protections that were mandated years ago.

In 2017, President Trump issued an executive order requiring agencies to lock down their IT infrastructures using a cybersecurity framework created by the National Institute of Standards and Technology, but none of the 16 agencies included in the report had fully complied with the guidelines, auditors said. 

GAO found every agency failed to implement proper safeguards to protect their infrastructure against digital threats and all but one agency had shortcomings in their risk management strategies. Only three agencies sufficiently monitored their networks for unauthorized activity and laid out clear policies for reporting and responding to intrusions, auditors said, and only five had developed contingency plans to keep operations up and running in the event of an attack.

Most agencies also fell short in at least one of the eight IT security categories outlined in the 2014 Federal Information Security Management Act, the government’s primary cybersecurity regulation, auditors said. Organizations struggled the most with creating security training programs, developing incident response plans and fixing security gaps.

GAO also noted that last year, inspectors general at 18 of the 24 CFO Act agencies determined their organization’s cybersecurity plan was ineffective. All but two of the civilian CFO Act agencies failed to meet the cybersecurity goals outlined in the President’s Management Agenda, auditors added.

“[GAO] and the inspectors general have made thousands of recommendations aimed at improving information security programs and practices over the years,” GAO said. “Implementation of these recommendations will assist agencies in strengthening their information security policies and practices.

On Thursday, GAO published a separate report that revealed many agencies have yet to create a comprehensive cybersecurity risk management program, leaving them at “increased risk of cyber-based incidents that threaten national security and personal privacy.”