Ensuring the Security of Federal Information Systems and Cyber Critical Infrastructure and Protecting the Privacy of Personally Identifiable Information - High Risk Issue
Pervasive and sustained cyberattacks against the United States could have a potentially devastating impact on the nation’s computer networks and systems, disrupting the operations of the federal government, critical infrastructure, and the lives of private individuals.
Federal agencies and the nation’s critical infrastructures—such as energy, transportation systems, communications, and financial services—are dependent on computerized (cyber) information systems and electronic data to carry out operations and to process, maintain, and report essential information.
The security of these systems and data is vital to public confidence and the nation’s safety, prosperity, and well-being. Safeguarding federal computer systems and the systems that support critical infrastructures—referred to as cyber critical infrastructure protection—is a continuing concern. The security of federal cyber assets has been on GAO’s High Risk list since 1997. The area has since been expanded to include the protection of critical cyber infrastructure and the privacy of personally identifiable information (PII) that is collected, maintained, and shared by both federal and nonfederal entities. PII is any information that can be used to distinguish or trace an individual’s identity, such as name, date and place of birth, Social Security number, or other types of personal information that can be linked to an individual, such as medical, educational, financial, and employment information.
Risks to cyber assets can originate from unintentional and intentional threats. These include insider threats from disaffected or careless employees and business partners and escalating and emerging threats from around the globe. The steady advance in the sophistication of attack technology, and the emergence of new and more destructive attacks also pose risks. The ineffective protection of cyber assets can facilitate security incidents and cyberattacks that disrupt critical operations; lead to inappropriate access to and disclosure, modification, or destruction of sensitive information; and threaten national security, economic well-being, and public health and safety.
Regarding PII, advancements in technology, such as new search technology and data analytics software for searching and collecting information, have made it easier for individuals and organizations to correlate data and track it across large and numerous databases. In addition, lower data storage costs have made it less expensive to store vast amounts of data. Also, ubiquitous Internet and cellular connectivity facilitates the tracking of individuals by allowing easy access to information pinpointing their location. These advances—combined with the increasing sophistication of hackers and others with malicious intent, and the extent to which both federal agencies and private companies collect sensitive information about individuals—have increased the risk of PII being exposed and compromised.
Over the last several years, GAO has made about 2,500 recommendations to agencies aimed at improving their implementation of information security controls. These recommendations identify actions for agencies to take in protecting their information and systems. Other recommendations were for agencies to fully implement their information security programs and better protect the privacy of PII held on their systems. However, many agencies continue to have weaknesses in implementing these controls, in part because many of these recommendations have not been implemented. As of October 2016, about 1,000 of the information security-related recommendations had not been implemented.
GAO-16-885T: Published: Sep 19, 2016. Publicly Released: Sep 20, 2016.
GAO-16-686: Published: Aug 26, 2016. Publicly Released: Sep 15, 2016.
GAO-16-501: Published: May 18, 2016. Publicly Released: Jun 21, 2016.
GAO-16-350: Published: Mar 24, 2016. Publicly Released: Apr 25, 2016.
GAO-16-265: Published: Mar 23, 2016. Publicly Released: Mar 23, 2016.
GAO-16-79: Published: Nov 19, 2015. Publicly Released: Nov 19, 2015.
GAO-16-513: Published: Aug 30, 2016. Publicly Released: Sep 29, 2016.
GAO-16-605: Published: Jun 29, 2016. Publicly Released: Jun 29, 2016.
GAO-16-359: Published: May 17, 2016. Publicly Released: May 17, 2016.
GAO-16-493: Published: Apr 28, 2016. Publicly Released: Apr 28, 2016.
GAO-16-590T: Published: Apr 14, 2016. Publicly Released: Apr 14, 2016.
GAO-16-589T: Published: Apr 12, 2016. Publicly Released: Apr 12, 2016.
GAO-16-398: Published: Mar 28, 2016. Publicly Released: Mar 28, 2016.
GAO-16-294: Published: Jan 28, 2016. Publicly Released: Jan 28, 2016.
GAO-16-152: Published: Dec 17, 2015. Publicly Released: Dec 17, 2015.
GAO-16-194T: Published: Nov 17, 2015. Publicly Released: Nov 17, 2015.