An audit report from the Government Accountability Office found federal agencies have not done enough to address cybersecurity risks and have often failed to comply with their own security policies.
One third of the cybersecurity recommendations issued by the GAO since 2010 had not been implemented as of August 2018, the report said, and 31 of 35 priority recommendations had not yet been addressed.
The GAO said the federal government still needed to address weaknesses in federal systems. It also needs to enhance incident response efforts, improve critical cyber infrastructure, and prioritize efforts to protect the privacy of individuals.
“The federal government needs to implement a more comprehensive cybersecurity strategy and improve its oversight, including maintaining a qualified cybersecurity workforce,” the report’s authors wrote.
Other elements that a comprehensive strategy needs to address include mitigating the supply chain risks originating from foreign-manufactured IT equipment and ensuring the security of emerging technologies, the GAO said.
The GAO report was based on an audit conducted from February to September. The Securities and Exchange Commission, Internal Revenue Service, and Federal Deposit Insurance Corp. were among the agencies cited for failures.
The GAO faulted the SEC for not always maintaining complete or accurate security plans or implementing continuous monitoring, as the SEC’s own policies required. The IRS did not adequately update some of its system security plans, and the FDIC failed to make sure major security incidents were identified and reported properly, as its own inspector general had recommended.
The GAO has made more than 3,000 recommendations to address failures in cybersecurity, identifying ten critical actions and four major challenges. It said only 1,000 of its recommendations have been put in place.
“Until our recommendations are addressed and actions are taken to address the four challenges we identified, the federal government, the national critical infrastructure, and the personal information of U.S. citizens will be increasingly susceptible to the multitude of cyber-related threats that exist,” the report’s authors wrote.
The GAO said it would issue another assessment in February 2019.
The GAO first designated information security as a government-wide high-risk area in 1997. This was expanded to include protecting cyber-critical infrastructure in 2003 and protecting the privacy of personally identifiable information in 2015.
The GAO report came nearly a year after Equifax disclosed hackers had breached the personal data of 148 million people in the United States.