Agencies Fail to Resolve Basic Cybersecurity Threats

The Government Accountability Office (GAO) released a report Friday critiquing agencies for neglecting to implement basic cybersecurity practices despite thousands of recommendations for action. Auditors attributed the lack of security protocol to improper oversight as well as a lack of understanding on the part of agency leaders regarding the present threats.

Congress passed the Federal Information Security Management Act (FISMA) in 2002 to require agencies to develop, document, and implement an agency-wide information security program to secure federal information systems. The National Institute of Standards and Technology (NIST) also provides agencies with a framework for securing data and information. The GAO found both of these systems to be flawed due to agency handling.

Despite the regulations in place to ensure the security of information, the GAO found that the security policies and practices of agencies were “ineffective.”

The report notes, “Specifically, information security evaluation reports that we and agency inspectors general issued during fiscal year 2018 showed that most of the 16 selected agencies did not consistently or effectively implement policies or practices related to the core security functions of the cybersecurity framework. In addition, most of these selected agencies had deficiencies in implementing the eight elements of an information security program, as defined by FISMA.”

This report comes just one day after another GAO report found that agencies lack agency-wide cybersecurity risk management programs. The GAO explained, “Federal agencies face a growing number of cyber threats to their systems and data. To protect against these threats, federal law and policies emphasize that agencies take a risk-based approach to cybersecurity by effectively identifying, prioritizing, and managing their cyber risks.”

A July 2019 report from the Inspector General (IG) of the Department of Energy also found that the department failed to enact proper cybersecurity controls at a radioactive waste management facility.

“The integrity, confidentiality and availability of systems and data managed by the site may be impacted by the vulnerabilities identified during our review,” the IG wrote in a summary of their findings.

The GAO found that the federal government faced 31,000 cyber incidents in 2018 and warned that the figure is likely to rise in coming years.