Majority of GAO's Cyber Recommendations Since 2010 Have Gone Unresolved

The Government Accountability Office said in a report on Thursday that federal agencies have not implemented almost 60% of the cybersecurity recommendations issued by the watchdog since 2010, potentially undermining their ability to safeguard sensitive information. 

The report—which GAO said is “the first in a series of four reports that lay out the main cybersecurity areas the federal government should urgently address”—found that approximately 190 of the watchdog’s 335 recommendations had not been put in place as of December 2022. GAO warned that “until these are fully implemented, federal agencies will be more limited in their ability to protect private and sensitive data entrusted to them.”

To enhance agencies’ cybersecurity practices and protocols, GAO said that the Biden administration should work to implement a “comprehensive national cybersecurity strategy” that includes robust oversight and addresses the full range of “desirable characteristics of national strategies.” 

“Until the federal government fully develops and implements a comprehensive national strategy, it will not have a clear roadmap for overcoming the cyber challenges facing our nation,” GAO said. 

The Trump administration previously issued a national cybersecurity strategy in 2018 and an implementation plan in 2019, which GAO noted in a September 2020 report “addressed some, but not all, of the desirable characteristics of national strategies,” including resources, investments and risk management.

The Biden administration is reportedly planning to unveil its own national cybersecurity strategy in the coming weeks, and GAO said that the White House should work to ensure that it “addresses those characteristics” missing from the Trump-era strategy. 

The report also said that federal agencies “need to fully implement all of the foundational practices for supply chain risk management” to help mitigate global supply chain risks, noting that a December 2020 GAO review of 23 civilian agencies “found that none had fully implemented all of the seven foundational practices for supply chain risk management and that 14 had not implemented any of the practices.”

GAO also identified deficiencies in agencies’ efforts to implement reforms “that prioritized solving the cybersecurity workforce shortage by identifying and closing workforce skills gaps and developing a standardized approach to hiring, training and retaining qualified cybersecurity professionals.”

The report noted, in particular, that the Office of Management and Budget and the Department of Homeland Security have only partially addressed recommendations regarding their cyber workforce challenges, and have “not established a dedicated implementation team or a government-wide implementation plan.”

“Without these practices in place, OMB and DHS will likely be unable to make significant progress towards solving the cybersecurity workforce shortage,” GAO said.

Additionally, GAO called for agencies to “take action to better secure internet-connected devices,” noting that “the nation’s critical infrastructure sectors rely on electronic systems, including Internet of Things (IoT) and operational technology (OT) devices and systems.”

The report cited a December 2022 GAO review, which said that the Departments of Energy, Health and Human Services, Homeland Security and Transportation “had cybersecurity initiatives underway intended to help protect three critical infrastructure sectors with extensive use of IoT or OT devices and systems,” but found that “none of the lead agencies had developed metrics to assess the effectiveness of their efforts.” 

GAO also said that cybersecurity concerns surrounding other emerging technologies—such as artificial intelligence and quantum computing—mean that the government’s oversight “will need to evolve” moving forward to keep pace with potential new threats.