GAO Study Reveals Federal Agencies’ Extensive Failure in Cybersecurity Risk Management

The Government Accountability Office (GAO) performed a research study on 23 federal agencies and discovered extensive failures in cybersecurity risk management.

Cybercriminals target federal agencies, so it is important to implement safeguards that protect against those attackers. Federal law necessitates government agencies to follow a risk-based cybersecurity strategy to determine, prioritize, and control cybersecurity threats.

The GAO conducted the study to find out the following:

  • if federal agencies have already established the crucial components of a cybersecurity risk management program
  • what difficulties the agencies faced in developing the program
  • what steps the Department of Homeland Security (DHS) and the Office of Management and Budget (OMB) had taken to handle their responsibilities in addressing the cybersecurity problems encountered by federal agencies

According to the study results, all except one (22) federal agency had a designated cybersecurity risk executive. However, many of the agencies had not implemented the other crucial components of the risk management program.

There were inadequacies in the creation of a cybersecurity risk management program. 16 federal agencies had not completely set up a cybersecurity risk management plan. 17 agencies have yet to completely set up an agency-wide and system-level program for evaluating, tracking, and responding to cybersecurity threats. 11 agencies have yet to establish a procedure for evaluating agency-wide cybersecurity threats according to an aggregation of system-level risks. 13 agencies had no established process for coordinating programs between cybersecurity and ERM for controlling all big risks.

Unless changes are made to the policies and procedures and something is done to address the security problems, federal agencies will be more at risk of encountering cyberattacks that endanger national security and personal privacy.

GAO gave 58 recommendations that all federal agencies need to include in their risk management procedures, with distinct recommendations for particular agencies.

Federal agencies have faced a number of challenges in evaluating and handling cybersecurity risks. The primary challenge was choosing and retaining crucial cybersecurity management staff. All 23 agencies cited this as the number one problem. Other common problems include:

  • taking care of competing priorities between cybersecurity and operations
  • setting up and enforcing policies and procedures
  • creating and applying standardized technology functions
  • obtaining reliable risk data

GAO’s recommendation calls on DHS and OMB to develop strategies for sharing best practices and effective methods for dealing with the common challenges that are encountered when enforcing consistent cybersecurity risk management practices. There must be a way to ensure the overcome of the challenges immediately and the improvement of the security posture in all federal agencies.