Government watchdog warns on cyber weakness
The federal government has not yet addressed nearly 150 recommendations previously issued by the Government Accountability Office to help strengthen national cybersecurity, according to a new report.
The federal government has not addressed a significant number of security weaknesses and policy oversights that leave agencies susceptible to potential cyberattacks, according to a new report, despite previous recommendations to help bolster federal cybersecurity.
More than 20% of 712 public recommendations issued since 2010 to secure federal systems remained unaddressed, the Government Accountability Office said this week in a high risk report that identified a series of critical steps agencies should take to improve government-wide cybersecurity efforts.
The report called out the Cybersecurity and Infrastructure Security Agency for not having fully completed its organizational plan and recommended that the nation's cyber defense agency establish timelines and develop performance measures to complete implementation tasks and track progress. According the report, GAO's requests remained unfulfilled in December 2022.
Rep. Yvette Clark (D--N.Y.), a senior member of the Homeland Security Committee, said in response to the latest report that it was "critical" for federal agencies to continue adopting the GAO's recommendations.
"The persistent cyber threats facing federal agencies demands that we be able to dynamically grow and evolve the programs aimed at defending and building resilience of federal networks," she said, adding that she will work "to ensure that [CISA] expeditiously implements its reorganization plans."
The report also found that the Office of Management and Budget guidance to agency inspectors general on conducting agency evaluations "was not always clear, leading to inconsistent application and reporting," and identified major program and control deficiencies at agencies that could leave the government susceptible to cybersecurity risks impacting sensitive government data.
GAO said that the Department of Homeland Security agreed with its recommendations for CISA but had not yet implemented those changes as of December 2022. NIH also agreed with GAO's recommendations, but had only implemented about 71% of the changes to its information security program and select systems as of December last year.
The report also encouraged the Department of Defense to expand its information-sharing practices around cyber incidents impacting the defense industrial base, and though the department agreed with the recommendations, it had not yet made any changes to its policies.