Federal and contractor systems face an evolving array of cyber-based threats. These threats can be unintentional — for example, from equipment failure, careless or poorly trained employees; or intentional — targeted or untargeted attacks from criminals, hackers, adversarial nations, or terrorists, among others. Threat actors use a variety of attack techniques that can adversely affect federal information, computers, software, networks, or operations, potentially resulting in the disclosure, alteration, or loss of sensitive information; destruction or disruption of critical systems; or damage to economic and national security. These concerns are further highlighted by the sharp increase in cyber incidents reported by federal agencies over the last several years, as well as the reported impact of such incidents on government and contractor systems.
Because of the risk posed by these threats, it is crucial that the federal government take appropriate steps to secure its information and information systems. However, GAO has identified a number of challenges facing the government's approach to cybersecurity, including the following:
- Implementing risk-based cybersecurity programs at federal agencies: For fiscal year 2014, 19 of 24 major federal agencies reported that deficiencies in information security controls constituted either a material weakness or significant deficiency in internal controls over their financial reporting. In addition, inspectors general at 23 of these agencies cited information security as a major management challenge for their agency.
- Securing building and access control systems: GAO previously reported that the Department of Homeland Security lacked a strategy for addressing cyber risks to agencies' building and access control systems — computers that monitor and control building operations — and that the General Services Administration had not fully assessed the risk of cyber attacks to such systems.
- Overseeing contractors: The agencies GAO reviewed were inconsistent in overseeing contractors' implementation of security controls for systems they operate on behalf of agencies.
- Improving incident response: The agencies GAO reviewed did not always effectively respond to cybersecurity incidents or develop comprehensive policies, plans, and procedures to guide incident-response activities.
- Responding to breaches of personally identifiable information: The agencies GAO reviewed have inconsistently implemented policies and procedures for responding to data breaches involving sensitive personal information.
- Implementing security programs at small agencies: Smaller federal agencies (generally those with 6,000 or fewer employees) have not always fully implemented comprehensive agency-wide information security programs.
Until agencies take actions to address these challenges—including the hundreds of recommendations made by the GAO and inspectors general — their systems and information will be at increased risk of compromise from cyber-based attacks and other threats.