What GAO Observed
In March 2021, GAO issued its substantial-possibility series update and emphasised that federal agencies’ necessary to put into action several critical steps to reinforce the nation’s cybersecurity and information technologies (IT) management attempts. In the update, GAO reiterated the value of companies addressing 4 major cybersecurity troubles going through the country: (1) establishing a complete cybersecurity system and undertaking effective oversight, (2) securing federal methods and data, (3) preserving cyber critical infrastructure, and (4) guarding privacy and delicate info. Overall, the federal governing administration has to shift with a higher feeling of urgency to fully handle essential cybersecurity problems. In particular:
- Acquire and execute a extra comprehensive federal method for countrywide cybersecurity and worldwide cyberspace . In September 2020, GAO claimed that the White House’s national cyber method and involved implementation program dealt with some, but not all, of the fascinating traits of national tactics, these types of as objectives and methods desired.
- Mitigate international provide chain threats . GAO claimed in December 2020 that several of the 23 civilian federal companies it reviewed implemented foundational methods for taking care of information and facts and conversation know-how supply chain pitfalls.
- Tackle weaknesses in federal agencies details safety packages. GAO reported in July 2019 that 23 businesses practically usually selected a risk govt, but had not thoroughly incorporated other vital hazard administration tactics, these as developing a course of action for evaluating agency-vast cybersecurity dangers.
In its March update, GAO also pressured the great importance of the Business of Administration and Spending plan (OMB) and federal businesses absolutely applying crucial steps suggested to increase the administration of IT to better manage tens of billions of dollars in IT investments. GAO emphasized, for example, that
- OMB had demonstrated its management commitment to improving upon IT administration, but sustaining this dedication was critically important
- twenty-one particular of 24 federal businesses experienced not yet implemented suggestions to fully address the position of Chief Details Officers, which include improving their authorities
- OMB and organizations required to address modernization difficulties and workforce setting up weaknesses and
- agencies could get even further motion to cut down duplicative IT contracts and decrease the chance of wasteful investing.
Until eventually OMB and federal organizations take vital actions to strengthen initiatives to handle these essential substantial-possibility locations, longstanding and pervasive weaknesses will likely go on to jeopardize the nation’s cybersecurity and management of IT.
Why GAO Did This Review
The nation’s important infrastructures and federal companies are dependent on IT programs and electronic facts to have out functions and to process, sustain, and report critical info. Each individual yr, the federal government spends far more than $100 billion on cybersecurity and IT investments.
GAO has lengthy pressured the continuing and urgent need to have for effective cybersecurity, as underscored by recent occasions that have illustrated persistent and evermore refined cyber threats and incidents. Moreover, a lot of IT investments have failed, executed badly, or endured from ineffective management. Accordingly, GAO has included info protection on its high-chance listing considering the fact that 1997 and additional increasing the management of IT acquisitions and operations in 2015. In its March 2021 superior-chance collection update, GAO documented that important notice was essential in both equally of these important areas.
GAO was asked to testify on federal agencies’ efforts to handle cybersecurity and the management of IT. For this testimony, GAO relied on chosen goods it formerly issued.