Decade-old cyber advice from GAO remains unimplemented, watchdog says

Olemedia/Getty Images

Reliance on legacy IT systems creates challenges for agencies looking to make use of the suggestions.

Nearly 570 out of 1,610 cybersecurity recommendations for federal agencies remain unimplemented as of May 2024, hindering the government’s ability to protect its sensitive systems, critical infrastructure and sensitive data from hackers, according to a report from the Government Accountability Office.

As of last month, agencies have implemented 1,043 of GAO’s recommendations made since 2010 in an effort to fix “challenge areas” involved in protecting government systems, but 567 of them remain unaddressed.

“This increases the risk that the nation will be unprepared to respond to the cyber threats that can cause serious damage to public safety, national security, the environment, and economic well-being,” GAO auditors said in the paper, released as part of the watchdog's High Risk series that focuses on programs needing swift cost overhaul, new management or transformation.

The audit, which was conducted since December of last year, says the government needs to improve federal efforts to shore up data privacy, strengthen governmentwide cyber implementation initiatives and mitigate software supply chain risks, among other things.

Why these recommendations are not yet implemented varies by agency, said GAO IT and Cybersecurity Director Marisol Cruz Cain, speaking on a call with reporters ahead of the findings’ release.

In the majority of cases, it comes down to legacy IT systems that are reliable for day-to-day agency operations but no longer get regular security updates pushed to them from their manufacturer, leaving them open to possible exploitation.

“It’s a challenge where you need to plan,” she said. “You have to have the budget. You have to have the right technologies that match in order to take your really old technology and even update it to something that’s fairly new, and make sure that works in your environment with all the other technologies that you have.”

Civilian agencies have faced myriad cyber threats over the past year. They could be in line for a 10% increase in cybersecurity funds under the White House’s 2025 budget request, though the final number may change as Congress weighs in with its spending bills in the coming months.

An OMB report out last week says federal agencies reported 32,211 cyber incidents to the Cybersecurity and Infrastructure Security Agency, versus 29,319 incidents in the prior year period, marking a nearly 10% increase in observed hacking attempts.