What GAO Identified

In March 2021, GAO issued its superior-hazard collection update and emphasized that federal agencies’ wanted to put into practice a lot of critical actions to bolster the nation’s cybersecurity and data technological know-how (IT) administration endeavours. In the update, GAO reiterated the importance of organizations addressing 4 key cybersecurity troubles struggling with the country: (1) setting up a comprehensive cybersecurity strategy and carrying out helpful oversight, (2) securing federal programs and details, (3) shielding cyber important infrastructure, and (4) guarding privateness and delicate knowledge. Total, the federal govt has to transfer with a increased feeling of urgency to thoroughly handle critical cybersecurity challenges. In distinct:

  • Acquire and execute a a lot more thorough federal method for nationwide cybersecurity and global cyberspace . In September 2020, GAO documented that the White House’s nationwide cyber tactic and linked implementation strategy tackled some, but not all, of the appealing traits of nationwide approaches, this kind of as targets and resources essential.
  • Mitigate world-wide source chain threats . GAO claimed in December 2020 that few of the 23 civilian federal companies it reviewed carried out foundational tactics for handling information and facts and communication engineering supply chain dangers.
  • Address weaknesses in federal agencies information and facts safety programs. GAO described in July 2019 that 23 businesses nearly generally designated a danger govt, but had not completely integrated other key chance administration tactics, these as creating a process for evaluating company-large cybersecurity hazards.

In its March update, GAO also stressed the significance of the Business office of Management and Funds (OMB) and federal agencies fully employing significant actions proposed to increase the administration of IT to improved regulate tens of billions of dollars in IT investments. GAO emphasised, for example, that

  • OMB experienced shown its management dedication to enhancing IT management, but sustaining this determination was critically critical
  • twenty-a single of 24 federal businesses experienced not yet implemented recommendations to thoroughly tackle the role of Chief Data Officers, together with improving their authorities
  • OMB and businesses needed to handle modernization difficulties and workforce preparing weaknesses and
  • organizations could consider even further motion to lower duplicative IT contracts and reduce the threat of wasteful paying.

Until finally OMB and federal businesses consider vital actions to strengthen efforts to tackle these important high-danger locations, longstanding and pervasive weaknesses will most likely continue to jeopardize the nation’s cybersecurity and administration of IT.

Why GAO Did This Research

The nation’s important infrastructures and federal businesses are dependent on IT programs and digital information to have out operations and to method, maintain, and report crucial details. Each yr, the federal governing administration spends extra than $100 billion on cybersecurity and IT investments.

GAO has long stressed the continuing and urgent will need for productive cybersecurity, as underscored by new activities that have illustrated persistent and evermore sophisticated cyber threats and incidents. Furthermore, numerous IT investments have failed, done inadequately, or experienced from ineffective management. Accordingly, GAO has integrated info safety on its significant-danger listing because 1997 and included enhancing the management of IT acquisitions and operations in 2015. In its March 2021 superior-risk collection update, GAO described that sizeable focus was needed in both of these critical areas.

GAO was asked to testify on federal agencies’ endeavours to address cybersecurity and the management of IT. For this testimony, GAO relied on selected goods it earlier issued.