- Improvements must be made to the federal government’s cybersecurity measures, especially to ensure that federal information systems and cyber critical infrastructure remain secure, according to a recent GAO report.
Changes will also help ensure the government can protect the privacy of personally identifiable information (PII).
“Virtually all federal operations are supported by computer systems and electronic data, and agencies would find it difficult, if not impossible, to carry out their missions and account for their resources without these information assets,” the report’s authors explained. “Hence, ineffective controls could have a significant impact on a broad array of government operations and assets.”
One specific area that can be improved is the federal government must effectively implement risk-based entity-wide information security programs consistently over time, GAO wrote. This would include implementing “sustainable processes for securely configuring operating systems, applications, workstations, servers, and network devices,” patching vulnerable systems, and replacing unsupported software.
There must also be better cyber incident detection, mitigation, and response. Specifically, DHS needs “to expand the capabilities and support wider adoption of its government-wide intrusion detection and prevention system.”
Cyber workforce planning and training efforts also need to be expanded, GAO maintained.
“The federal government needs to enhance efforts for recruiting and retaining a qualified cybersecurity workforce and improve cybersecurity workforce planning activities,” the report stated.
Critical infrastructure cybersecurity measures also need to improve, which would include promoting the NIST Cybersecurity Framework. Additionally, the federal government must “measure and report on effectiveness of cyber risk mitigation activities and the cybersecurity posture of critical infrastructure sectors.”
Finally, GAO recommended that the government improve its overall oversight of PII. Electronic health information privacy and security is especially critical, and user data on health insurance marketplaces must remain protected. Privacy must also be ensured when face recognition systems are used.
GAO noted that several of its investigative reports and ensuing conclusions over the years are consistent with or similar to recommendations made by the Cybersecurity Commission and CSIS. This includes the following:
- Creating an international cybersecurity strategy
- Protecting critical cyber infrastructure
- Promoting use of the NIST Cybersecurity Framework
- Prioritizing cybersecurity research and development
- Expanding cybersecurity workforce capabilities
- Combating cybercrime
The federal government’s dependence on computerized information systems and electronic data makes it particularly vulnerable to the continuously evolving cybersecurity threats, GAO warned.
“Securing these systems and data is vital to the nation’s security, prosperity, and well-being,” the report explained. “Nevertheless, the security over these systems is inconsistent and additional actions are needed to address ongoing cybersecurity and privacy challenges.”
GAO had similar findings in a report released earlier this month that investigated cybersecurity in the Department of Homeland Security (DHS).
The agency explained that DHS has worked toward implementing necessary cybersecurity measures in its National Cybersecurity and Communications Integration Center (NCCIC), but there are still factors impeding its efficiency and effectiveness.
NCCIC must perform 11 cybersecurity-related functions under the National Cybersecurity Protection Act of 2014 and the Cybersecurity Act of 2015. This includes sharing information and enabling real-time actions to address cybersecurity risks and incidents at federal and non-federal entities.
NCCIC has not yet determined how those principles apply to all 11 functions, and instances were identified where cybersecurity functions were not performed in accordance with the principles.
“Until NCCIC takes steps to overcome these impediments, it may not be able to efficiently perform its cybersecurity functions and assist federal and nonfederal entities in identifying cyber-based threats, mitigating vulnerabilities, and managing cyber risks,” the report’s authors wrote.
GAO did note that NCCIC had taken the right steps to perform its required cybersecurity functions but that “the extent to which NCCIC carried out these functions in accordance with the nine principles” is unclear because the center has not evaluated its performance consistently.