The Government Accountability Office offered some big-picture marching orders in a new report this week for three Federal agencies with major cybersecurity portfolios to improve how the agencies are undertaking their security missions.
The thrust of the government watchdog agency’s recommendations are not entirely new – GAO makes hundreds of security-related recommendations to agencies – but the latest report singles out some major themes that it wants to see addressed.
GAO made those recommendations in its second report in a four-part series detailing the Federal government’s high-risk cybersecurity vulnerabilities.
In the agency’s first report of the series – released earlier in January – GAO urged National Cyber Director (NCD) Chris Inglis to release and execute his office’s upcoming national cyber strategy.
In the latest report dated Jan. 31, GAO is pushing leadership of big Federal agencies to do more to security government systems and information.
“We have made about 712 recommendations in public reports since 2010 with respect to securing federal systems and information,” the report says. “Until these are fully implemented, federal agencies will be more limited in their ability to protect private and sensitive data entrusted to them.”
The government watchdog agency is urging the Cybersecurity and Infrastructure Security Agency (CISA) to “improve implementation of government-wide cybersecurity initiatives.”
According to the watchdog, CISA has been tasked with undertaking an organizational transformation initiative to better secure information and systems and coordinate efforts to secure and protect against critical infrastructure risk.
However, GAO found that critical transformation tasks such as finalizing the mission-essential functions of CISA’s divisions, and defining incident management roles and responsibilities across the agency, have not yet been completed.
The report is also calling on the Office of Management and Budget (OMB) to address weaknesses in Federal agency information security programs.
According to the GAO, OMB’s guidance to inspector generals’ on conducting agency cybersecurity evaluations is not always clear, leading to inconsistent application and reporting. GAO recommends that OMB clarify its guidance on Federal Information Security Management Act (FISMA) requirements and create a more precise rating scale.
Finally, the watchdog agency is urging the Defense Department (DoD) to enhance its response to cyber incidents.
“DOD has not yet decided whether [defense industrial base] cyber incidents detected by cybersecurity service providers should be shared with all relevant stakeholders,” the report said. “Until DOD examines whether this information should be shared with all relevant parties, opportunities could be lost to identify system threats and improve system weaknesses,” GAO said.