As Federal and state government agencies face growing cyber threats, the Department of Justice (DoJ) must improve its coordination with other Federal agencies on cybersecurity requirements and assessments of state agencies to better manage fragmentation of that process, the Government Accountability Office (GAO) said in its latest annual open priority recommendations report to the agency.
The latest report recounts that following recommendations made to DoJ by GAO in 2021, the Federal Bureau of Investigation (FBI) established a Criminal Justice Information Services (CJIS) Policy Modernization Task Force to advise the FBI on updates to its cybersecurity requirements.
In addition, the FBI created a Data Categorization Task Force to review and categorize criminal justice information under guidance from the National Institute of Standards and Technology (NIST).
Those were, GAO, said, positive steps that “could lead to less variance among the Federal agencies’ cybersecurity requirements for states.”
“However, the discussions are in the early stages, and it is too soon to assess the FBI’s efforts to solicit input on remaining areas of its cybersecurity requirements and how the FBI will use that input when revising its requirements,” the government watchdog agency said.
GAO recommended that the FBI director collaborate with the Office of Management and Budget to solicit input from several Federal agencies and state agency stakeholders on revisions to its security policy to ensure that cybersecurity requirements for state agencies are consistent with other Federal agencies and NIST guidance to the greatest extent possible.
“To fully address our recommendation, the FBI will need to complete efforts to solicit input from federal and state agency stakeholders, including state IT stakeholders as appropriate, on its cybersecurity requirements before determining changes it will make to address variances among Federal agencies’ cybersecurity requirements for states,” GAO stated in its recommendation.
Additionally, GAO recommended that the FBI Director revise its assessment policies to maximize coordination with other Federal agencies to the greatest extent practicable. Specifically, the FBI needs to assess the input it has received from other Federal agencies and determine what changes it can make to its assessment policies and procedures to enhance coordination.
Until the FBI revises its assessment policies, the agency may be placing unnecessary burdens on state officials’ time and resources in responding to overlapping or duplicative requests and inquiries, retesting controls that have already been evaluated, or reporting similar findings, the report states..
GAO did acknowledge work that DoJ has already done on related cybersecurity fronts. That includes establishing a cybersecurity risk management strategy that defines and documents its approach to coordination between its cybersecurity and enterprise risk management functions, improving its identification of acceptable risk levels and response strategies, and better ensuring that cyber risks are incorporated into department-level risk mitigation activities.