What GAO Observed
In March 2021, GAO issued its significant-threat sequence update and emphasised that federal agencies’ essential to put into action quite a few critical steps to strengthen the nation’s cybersecurity and information and facts know-how (IT) management initiatives. In the update, GAO reiterated the great importance of companies addressing four major cybersecurity troubles experiencing the nation: (1) creating a detailed cybersecurity tactic and accomplishing helpful oversight, (2) securing federal units and information, (3) preserving cyber critical infrastructure, and (4) defending privateness and delicate knowledge. Total, the federal government has to transfer with a higher perception of urgency to thoroughly address important cybersecurity issues. In distinct:
- Produce and execute a more comprehensive federal method for nationwide cybersecurity and world wide cyberspace . In September 2020, GAO reported that the White House’s national cyber strategy and related implementation prepare dealt with some, but not all, of the appealing features of national strategies, this sort of as objectives and resources needed.
- Mitigate global provide chain dangers . GAO claimed in December 2020 that handful of of the 23 civilian federal agencies it reviewed carried out foundational procedures for managing information and interaction technological know-how source chain challenges.
- Address weaknesses in federal organizations information and facts safety courses. GAO reported in July 2019 that 23 businesses practically always selected a chance government, but had not entirely incorporated other important possibility management procedures, these as creating a system for evaluating agency-huge cybersecurity hazards.
In its March update, GAO also pressured the significance of the Office of Administration and Price range (OMB) and federal agencies thoroughly applying vital actions advisable to improve the administration of IT to better manage tens of billions of pounds in IT investments. GAO emphasized, for example, that
- OMB experienced shown its management dedication to improving upon IT management, but sustaining this determination was critically critical
- 20-just one of 24 federal companies had not but carried out recommendations to completely deal with the part of Chief Data Officers, together with maximizing their authorities
- OMB and companies necessary to handle modernization problems and workforce planning weaknesses and
- agencies could consider further more action to cut down duplicative IT contracts and minimize the hazard of wasteful expending.
Until finally OMB and federal companies consider important steps to bolster attempts to handle these crucial large-danger parts, longstanding and pervasive weaknesses will probably continue to jeopardize the nation’s cybersecurity and administration of IT.
Why GAO Did This Study
The nation’s significant infrastructures and federal companies are dependent on IT programs and digital details to have out functions and to process, maintain, and report vital details. Each 12 months, the federal government spends additional than $100 billion on cybersecurity and IT investments.
GAO has long pressured the continuing and urgent have to have for efficient cybersecurity, as underscored by latest occasions that have illustrated persistent and evermore subtle cyber threats and incidents. Also, numerous IT investments have failed, performed badly, or endured from ineffective administration. Accordingly, GAO has involved facts security on its superior-danger listing given that 1997 and added enhancing the administration of IT acquisitions and operations in 2015. In its March 2021 significant-risk series update, GAO documented that sizeable focus was necessary in both equally of these vital areas.
GAO was questioned to testify on federal agencies’ efforts to address cybersecurity and the administration of IT. For this testimony, GAO relied on selected goods it beforehand issued.