Analysis
Attacks and Vulnerabilities
Critical infrastructure
News
Reports

GAO finds challenges in protecting federal systems and information, calls for increased implementation

February 01, 2023
GAO finds challenges in protecting federal systems and information, calls for increased implementation

The U.S. Government Accountability Office (GAO) proposed three actions related to the challenges faced when it comes to securing federal systems and information. These include improving the implementation of government-wide cybersecurity initiatives, addressing weaknesses in federal agency information security programs, and boosting federal response to cyber incidents to better protect federal systems and information. 

Identifying its latest report as ‘the second in a series of four reports’ that lay out the main cybersecurity areas the federal government should urgently address, GAO focuses on securing federal systems and information. “We have made 712 recommendations in public reports since 2010 in this area. About 150 of these recommendations were not implemented as of December 2022. Until these are fully implemented, federal agencies will be more limited in their ability to protect private and sensitive data entrusted to them,” the agency added.

Last month, GAO reported on the challenges in establishing a comprehensive cybersecurity strategy and performing effective oversight. It suggested that the federal government must develop and execute a comprehensive federal strategy for national cybersecurity and global cyberspace, mitigate global supply chain risks, develop a government-wide reform plan that addresses the cybersecurity workforce shortage, and ensure the security of emerging technologies.

Federal systems and the nation’s critical infrastructures—such as energy, transportation systems, communications, and financial services—are dependent on technology systems to carry out fundamental operations and to process, maintain, and report vital information. The security of these systems and data is also essential for safeguarding individual privacy and protecting the nation’s security, prosperity, and well-being.

However, the risks associated with these technological systems are increasing, as malicious actors become more willing and capable of carrying out cyberattacks. These attacks could lead to serious harm to human safety, national security, the environment, and the economy. Agencies and critical infrastructure owners and operators must ensure the confidentiality, integrity, and availability of their systems, and effectively respond to any cyberattacks.

In its latest report, GAO said that the Cybersecurity and Infrastructure Security Agency (CISA) should complete its organizational transformation and fulfill its mission of protecting civilian agency systems and networks. The cybersecurity agency has undertaken a three-phased organizational transformation initiative aimed at unifying the agency, improving mission effectiveness, and enhancing the workplace experience. Also, since its establishment, CISA has been reorganizing offices and functions previously organized under the department’s National Protection and Programs Directorate and completing its transformation initiative, GAO reported. 

“Until CISA establishes updated milestones and an overall deadline for its efforts, and expeditiously carries out these plans, the agency will be hindered in meeting the goals of its organizational transformation initiative,” according to GAO. “Consequently, this could impair the agency’s ability to identify and respond to cyber incidents.”

The watchdog recommended that CISA establish expected completion dates, plans for developing performance measures, and an overall deadline for the completion of the transformation initiative, as well as develop a strategy for comprehensive workforce planning. “DHS agreed with our recommendations. As of December 2022, it had not yet implemented any of them,” the report added. 

GAO suggested that to address weaknesses in federal agency information security programs, the Office of Management and Budget (OMB) should update inspectors general (IG) reporting guidance to increase rating consistency and precision. Additionally, “GAO found that OMB’s guidance to IGs on conducting agency evaluations was not always clear, leading to inconsistent application and reporting by IGs. Further, we reported that the binary effective/not effective scale resulted in imprecise ratings that did not clearly distinguish among the differing levels of agencies’ performance,” it added.

By clarifying its guidance and enhancing its rating scale, OMB could help ensure a more consistent approach and nuanced picture of agencies’ cybersecurity programs, GAO reported. “We recommended that OMB, in consultation with others, clarify its guidance to IGs and create a more precise overall rating scale. OMB did not concur with our recommendations, stating, in part, that they want to provide IGs with the flexibility to adapt their reviews. GAO maintains that the recommendations are warranted, but they had not yet been implemented as of December 2022,” it added.

The GAO report also said that the National Institutes of Health (NIH) needs to resolve control deficiencies and improve its program. These issues are related to identifying risk, protecting systems from threats and vulnerabilities, detecting and responding to cyber security events, and recovering system operations. Until NIH resolves the associated control and program deficiencies, its information systems and information will remain at increased risk of misuse, improper disclosure or modification, and destruction.

“We recommended that NIH address these deficiencies, which resulted in 66 recommendations related to the security program and 153 recommendations related to system controls,” GAO said. “As of December 2022, NIH had implemented about 71 percent of the total 219 recommendations. However, it had not yet implemented 15 of the 66 on the information security program and 49 of the 153 on control deficiencies for selected systems.”

Looking into what actions can be taken to enhance the federal response to cyber incidents targeting federal systems, GAO called upon agencies to identify multiple lessons learned from SolarWinds and Microsoft Exchange incidents. 

Last January, GAO “reported that the Cyber Unified Coordination Group agencies identified that information sharing and limited evidence collection led to challenges in coordinating and responding to the SolarWinds and Microsoft Exchange incidents. For example, we reported that an official from the Office of the Director of National Intelligence told us that information sharing among law enforcement, private sector, and intelligence groups was difficult and time-consuming, as there were different classification levels for information.” 

In addition, the National Security Council, with input from the Cyber Unified Coordination Group agencies, conducted a review of the SolarWinds incident. “The review identified that aligning technology investments with operational priorities, improving public-private engagement, and improving threat intelligence acquisition, sharing, and use among federal agencies may help with preventing and responding to future cybersecurity incidents.” 

The agency added that if implemented effectively, the areas from the National Security Council review could help address several challenges identified for both the SolarWinds and Microsoft Exchange incidents. “We did not make any recommendations in this report, but we maintain that addressing these challenges should remain a priority,” it added. 

GAO also highlighted that the Department of Defense needs to ensure cyber incidents are appropriately reported and shared. “DOD and our nation’s defense industrial base—which includes entities outside the federal government that provide goods or services critical to meeting U.S. military requirements—are dependent on information systems to carry out their operations. These systems continue to be susceptible to cyber incidents as cybersecurity threats have evolved and become more sophisticated,” it added. 

In November, GAO reported that DOD has taken steps to combat these attacks and the number of cyber incidents had declined in recent years. However, “we found that the department had not fully implemented its processes for managing cyber incidents, did not have complete data on cyber incidents that staff report, and did not document whether it notifies individuals whose personal data is compromised in a cyber incident,” it added.

GAO has recommended that the DOD improve the sharing of defense industrial base-related cyber incident information and document when affected individuals are notified of a PII breach of their data. “DOD concurred with our recommendations; however, it had not yet implemented these recommendations as of December 2022,” it added.

Last week, the U.S. Senate Homeland Security and Governmental Affairs Committee called on the GAO to examine the national security risks posed by private consulting companies that concurrently contract with the U.S. government and the Chinese government or Chinese state-run enterprises. The bipartisan move also raised concerns that these contractors’ outside work with adversaries like the Chinese government could create conflicts of interest that undermine national security.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
RMC
Risk Mitigation Consulting acquires Securicon, boosting cybersecurity and mission assurance offerings
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation