Ensuring the Security of Federal Information Systems and Cyber Critical Infrastructure and Protecting the Privacy of Personally Identifiable Information
Federal agencies and our nation’s critical infrastructures—such as energy, transportation systems, communications, and financial services—are dependent on computerized (cyber) information systems and electronic data to carry out operations and to process, maintain, and report essential information. 1 The security of these systems and data is vital to public confidence and the nation’s safety, prosperity, and well-being.
However, safeguarding federal computer systems and the systems that support critical infrastructures—referred to as cyber critical infrastructure protection—has been a long-standing concern. The security of federal cyber assets has been on our High-Risk List since 1997. In 2003, we expanded this high-risk area to include the protection of critical cyber infrastructure. In 2015, we added protecting the privacy of personally identifiable information (PII) that is collected, maintained, and shared by both federal and nonfederal entities.2
Over the last several years, we have made about 2,500 recommendations to agencies aimed at improving the security of federal systems and information. These recommendations identified actions for agencies to take to strengthen technical security controls over their computer networks and systems. They also include recommendations for agencies to fully implement aspects of their information security programs, as mandated by the Federal Information Security Modernization Act (FISMA) of 2014 and its predecessor, the Federal Information Security Management Act of 2002, and to protect the privacy of PII held on their systems. However, many agencies continue to be challenged in safeguarding their information systems and information, in part because many of these recommendations have not been implemented. As of October 2016, about 1,000 of our information security–related recommendations had not been implemented.
Risks to cyber assets can originate from unintentional and intentional threats. These include insider threats from disaffected or careless employees and business partners, escalating and emerging threats from around the globe, the steady advances in the sophistication of attack technology, and the emergence of new and more destructive attacks. Ineffectively protecting cyber assets can facilitate security incidents and cyberattacks that disrupt critical operations; lead to inappropriate access to and disclosure, modification, or destruction of sensitive information; and threaten national security, economic well-being, and public health and safety.
Regarding PII, advancements in technology, such as new search technology and data analytics software for searching and collecting information, have made it easier for individuals and organizations to correlate data and track it across large and numerous databases. In addition, lower data storage costs have made it less expensive to store vast amounts of data. Also, ubiquitous Internet and cellular connectivity makes it easier to track individuals by allowing easy access to information pinpointing their locations. These advances—combined with the increasing sophistication of hackers and others with malicious intent, and the extent to which both federal agencies and private companies collect sensitive information about individuals—have increased the risk of PII being exposed and compromised.
 Critical infrastructure includes systems and assets so vital to the United States that incapacitating or destroying them would have a debilitating effect on national security. These critical infrastructures are grouped by the following industries or "sectors": chemical; commercial facilities; communications; critical manufacturing; dams; defense industrial base; emergency services; energy; financial services; food and agriculture; government facilities; health care and public health; information technology (IT); nuclear reactors, materials, and waste; transportation systems; and water and wastewater systems.
 PII is any information that can be used to distinguish or trace an individual’s identity, such as name, date and place of birth, Social Security number, or other types of personal information that can be linked to an individual, such as medical, educational, financial, and employment information.
Leadership at the White House and Department of Homeland Security (DHS) demonstrated commitment to improving cybersecurity. For example, the President issued strategy documents for improving aspects of cybersecurity and an executive order (E.O.) and policy directive for improving security and resilience of critical cyber infrastructure. However, challenges remain, such as shortages in qualified cybersecurity personnel and continued weaknesses in agencies’ information security programs. These challenges need to be addressed as initial steps toward removal from the High-Risk List. Furthermore, progress will need to be demonstrated by agencies fully implementing their information security programs and by critical infrastructure sectors improving their cybersecurity.
In addition, Congress enacted legislation intended to strengthen information security across the federal government and to improve the protection of critical cyber assets. The Cybersecurity Act of 2015 established a voluntary framework for sharing cybersecurity threat information between and among the federal government, state governments, and private entities, and protects private sector entities from liability when sharing and receiving cyber threat information. 1 The act also makes DHS’s National Cybersecurity and Communications Integration Center responsible for implementing these mechanisms, requires DHS to offer its intrusion and detection capabilities to any federal agency, and calls for agencies to assess their cyber-related workforce.
- Executive Office of the President (EOP) and federal agencies should implement our approximately 1,000 open recommendations, especially those related to implementing risk-based information security programs.
- The federal government should effectively execute the steps in the government-wide plans, including the Cybersecurity Strategy and Implementation Plan for the Federal Civilian Government,1 Cybersecurity National Action Plan, 2 and Federal Cybersecurity Workforce Strategy.3
- The federal government needs to resolve the government-wide material weakness in information security for 2 consecutive years and reduce factors that contribute to a significant deficiency, as we reported in our annual audits of the financial statements for the United States government.4
Federal agencies need to effectively implement risk-based, entity-wide information security programs consistently over time. The following actions will assist agencies in implementing their information security programs:
- enhance capabilities to effectively identify cyber threats to agency high-impact systems and information,
- implement sustainable processes for securely configuring information systems and networks,
- patch vulnerable systems and replace unsupported software,
- develop comprehensive security test and evaluation procedures and conduct these examinations on a regular and recurring basis, and
- strengthen oversight of contractors providing information technology (IT) services.
The federal government needs to improve its abilities to detect, respond to, and mitigate cyber incidents. The following actions will assist the federal government in these efforts:
- DHS needs to expand capabilities, improve planning, and support wider adoption of its government-wide intrusion detection and prevention system.
- Agencies need to develop and implement complete policies, plans, and procedures for responding to cyber incidents and effectively oversee response activities.
- Agencies need to consistently implement policies and procedures for responding to breaches of PII.
The federal government needs to expand its cyber workforce planning and training efforts. Agencies need to
- enhance efforts for recruiting and retaining a qualified cybersecurity workforce and
- improve cybersecurity workforce planning activities.
The federal government needs to expand efforts to protect cyber critical infrastructure. For example:
- DHS and sector-specific agencies need to collaborate with sector partners to develop performance metrics and determine how to overcome challenges to reporting the results of their cyber risk mitigation activities; and
- DHS needs to assess whether its efforts to share information on cyber threats, incidents, and countermeasures with federal and non-federal entities are useful and effective.
The federal government needs to better oversee the protection of PII contained in electronic health information and health insurance marketplaces. Needed efforts include the following:
- Department of Health and Human Services (HHS) needs to enhance its oversight and guidance related to the actions to protect privacy implemented by entities that maintain electronic health information.
- HHS's Centers for Medicare & Medicaid Services (CMS) needs to ensure that Healthcare.gov and state health insurance marketplaces have effective controls in place to safeguard electronic health information.
- Congress should consider amending privacy laws to more fully protect the PII collected, used, and maintained by the federal government.
 A material weakness is a deficiency, or combination of deficiencies, that results in more than a remote likelihood that a material misstatement on the financial statements will not be prevented or detected. A significant deficiency is a deficiency, or combination of deficiencies, in internal control that is less severe than a material weakness, yet important enough to merit attention by those charged with governance. A control deficiency exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect and correct misstatements on a timely basis.
GAO-16-885T: Published: Sep 19, 2016. Publicly Released: Sep 20, 2016.
GAO-16-513: Published: Aug 30, 2016. Publicly Released: Sep 29, 2016.
GAO-16-686: Published: Aug 26, 2016. Publicly Released: Sep 15, 2016.
GAO-16-771: Published: Aug 26, 2016. Publicly Released: Sep 26, 2016.
GAO-16-501: Published: May 18, 2016. Publicly Released: Jun 21, 2016.
GAO-16-317: Published: Apr 21, 2016. Publicly Released: May 9, 2016.
GAO-16-350: Published: Mar 24, 2016. Publicly Released: Apr 25, 2016.
GAO-16-265: Published: Mar 23, 2016. Publicly Released: Mar 23, 2016.
GAO-16-294: Published: Jan 28, 2016. Publicly Released: Jan 28, 2016.
GAO-16-79: Published: Nov 19, 2015. Publicly Released: Nov 19, 2015.