US GAO presses for more cybersecurity coordination at DOJ, following growing number of cyber threats

The U.S. Government Accountability Office (GAO) called upon the Department of Justice (DOJ) to coordinate greater cybersecurity as federal and state government agencies face growing cyber threats to their systems and data. In its update on the overall status of the DOJ’s implementation of GAO’s suggestions, GAO told the DOJ that ‘​​fully implementing these open recommendations could significantly improve agency operations’ and that the agency should prioritize these open recommendations.

Last June, GAO identified 12 priority recommendations for the DOJ, of which the justice agency has implemented four. In a recent report, the GAO identified two additional priority recommendations for the DOJ, bringing the total number to ten. The latest suggestions include the need for selected federal agencies to coordinate on requirements and assessments of states and for the director of the Federal Bureau of Investigation (FBI) to revise the agency’s assessment policies to maximize coordination with other federal agencies to the greatest extent practicable. The FBI has agreed with both of these recommendations.

The DOJ also established a cybersecurity risk management strategy and defined and documented its approach to coordination between its cybersecurity and enterprise risk management functions. It also improves the identification of acceptable risk levels and response strategies while ensuring that cyber risks are incorporated into department-level risk mitigation activities.

“By fully implementing two priority recommendations in this area, DOJ could improve its coordination with other federal agencies on cybersecurity requirements and assessments of state agencies to better manage fragmentation and the associated costs,” GAO said in its report. The two recommendations focus on the FBI ensuring it has cybersecurity policies for states consistent with other federal and National Institute of Standards and Technology (NIST) guidance and revising assessment policies to maximize coordination, it added.

The federal watchdog called upon the FBI director to, in collaboration with the Office of Management and Budget (OMB), solicit input from the Centers for Medicaid and Medicare (CMS), Internal Revenue Service (IRS), Social Security Administration (SSA), and state agency stakeholders on revisions to its security policy. The move will help ensure that cybersecurity requirements for state agencies are consistent with other federal agencies and NIST guidance to the greatest extent possible.

“As of February 2022, the FBI established a Criminal Justice Information Services (CJIS) Policy Modernization Task Force consisting of representatives from the CMS and IRS, as well as representatives from state law enforcement agencies and courts, to advise FBI on updates to its cybersecurity requirements,” GAO said in its report. The FBI also created a Data Categorization Task Force to review and categorize criminal justice information according to NIST’s guidance. It added that both task forces had initial discussions on some of the FBI’s cybersecurity requirements and assessment policies that affect state agencies. 

GAO said that the FBI also noted that it expects further to align its CJIS policy with guidance from NIST to be more consistent with how other federal agencies use this guidance in their security policies. These positive steps could lead to less variance among the federal agencies’ cybersecurity requirements for states. However, the discussions are in the early stages. It is too soon to assess the FBI’s efforts to solicit input on the remaining areas of its cybersecurity requirements and how the FBI will use that input when making revisions to its requirements. 

Further, it is not yet clear how the FBI intends to solicit input from state agency IT stakeholders, who have previously identified conflicts among federal agencies’ requirements as burdensome and problematic, GAO said. Therefore, to fully address GAO’s recommendation, the FBI will need to complete efforts to solicit input from federal and state agency stakeholders, including state IT stakeholders as appropriate, on its cybersecurity requirements before determining changes it will make to address variances among federal agencies’ cybersecurity requirements for states.

The GAO added in its report that coordinating to address variances in federal agencies’ cybersecurity requirements could help reduce cost, time, and other burdens resulting from these variances.

Addressing the second recommendation, GAO said that as of February this year, the FBI stated that staff from its CJIS Audit Unit held several discussions with CMS, IRS, and SSA officials. As a result, the agencies shared information on the assessment processes for state agencies, including what agencies and data are included in assessments, previous assessment results, and the potential for further coordination of assessment schedules.

The FBI noted that it expects to hold these discussions biannually. In addition, the FBI solicited input from these federal agencies through its CJIS Security Policy Modernization Task Force, according to GAO. The FBI noted that it expects further to align its CJIS policy with guidance from NIST to be more consistent with how other federal agencies use this guidance in their security policies. FBI noted that once it has transitioned to more robust adoption of the NIST security framework, it would revisit any areas of assessment coordination with the other federal agencies. It added that the FBI did not have a time frame for completing these efforts. 

GAO said that to implement this action fully, the FBI needs to assess the input it has received from other federal agencies and determine what changes it can make to its assessment policies and procedures to enhance coordination. Until the FBI revises its assessment policies, the agency may be placing unnecessary burdens on state officials’ time and resources in responding to overlapping or duplicative requests and inquiries, retesting controls that have already been evaluated, or reporting similar findings, it added.

Last month, a GAO report determined that the Department of Defense (DOD) has reported implementing more than 70 percent of four selected cybersecurity requirements for controlled unclassified information (CUI) systems, based on GAO’s analysis of DOD reports, including a June 2021 report to Congress, and data from DOD’s risk management tools. 

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.