Cybersecurity: Agencies Need to Fully Establish Risk Management Programs and Address Challenges
Fast Facts
To protect against cyber threats, federal agencies should incorporate key practices in their cybersecurity risk management programs.
These key practices include:
Designating a cybersecurity risk executive
Developing a risk management strategy and policies
Assessing cyber risks
Coordinating between cybersecurity and enterprise-wide risk management functions
All but one of the 23 agencies we reviewed designated a risk executive. However, none of these agencies fully incorporated the other key practices into their programs.
We made 58 recommendations to federal agencies to help improve their cybersecurity risk management programs.
code
Highlights
What GAO Found
Key practices for establishing an agency-wide cybersecurity risk management program include designating a cybersecurity risk executive, developing a risk management strategy and policies to facilitate risk-based decisions, assessing cyber risks to the agency, and establishing coordination with the agency's enterprise risk management (ERM) program. Although the 23 agencies GAO reviewed almost always designated a risk executive, they often did not fully incorporate other key practices in their programs:
Twenty-two agencies established the role of cybersecurity risk executive, to provide agency-wide management and oversight of risk management.
Sixteen agencies have not fully established a cybersecurity risk management strategy to delineate the boundaries for risk-based decisions.
Seventeen agencies have not fully established agency- and system-level policies for assessing, responding to, and monitoring risk.
Eleven agencies have not fully established a process for assessing agency-wide cybersecurity risks based on an aggregation of system-level risks.
Thirteen agencies have not fully established a process for coordinating between their cybersecurity and ERM programs for managing all major risks.
Until they address these practices, agencies will face an increased risk of cyber-based incidents that threaten national security and personal privacy.
Agencies identified multiple challenges in establishing and implementing cybersecurity risk management programs (see table).
Agency Challenges in Establishing Cybersecurity Risk Management Programs
Challenge |
Agencies reporting challenge |
Hiring and retaining key cybersecurity management personnel |
23 |
Managing competing priorities between operations and cybersecurity |
19 |
Establishing and implementing consistent policies and procedures |
18 |
Establishing and implementing standardized technology capabilities |
18 |
Receiving quality risk data |
18 |
Using federal cybersecurity risk management guidance |
16 |
Developing an agency-wide risk management strategy |
15 |
Incorporating cyber risks into enterprise risk management |
14 |
Source: GAO analysis of agency data. | GAO-19-384
In response to a May 2017 executive order, the Office of Management and Budget (OMB) and Department of Homeland Security (DHS) identified areas for improvement in agencies' capabilities for managing cyber risks. Further, they have initiatives under way that should help address four of the challenges identified by agencies—hiring and retention, standardizing capabilities, receiving quality risk data, and using guidance. However, OMB and DHS did not establish initiatives to address the other challenges on managing conflicting priorities, establishing and implementing consistent policies, developing risk management strategies, and incorporating cyber risks into ERM. Without additional guidance or assistance to mitigate these challenges, agencies will likely continue to be hindered in managing cybersecurity risks.
Why GAO Did This Study
Federal agencies face a growing number of cyber threats to their systems and data. To protect against these threats, federal law and policies emphasize that agencies take a risk-based approach to cybersecurity by effectively identifying, prioritizing, and managing their cyber risks. In addition, OMB and DHS play important roles in overseeing and supporting agencies' cybersecurity risk management efforts.
GAO was asked to review federal agencies' cybersecurity risk management programs. GAO examined (1) the extent to which agencies established key elements of a cybersecurity risk management program; (2) what challenges, if any, agencies identified in developing and implementing cybersecurity risk management programs; and (3) steps OMB and DHS have taken to meet their risk management responsibilities and address any challenges agencies face. To do this, GAO reviewed policies and procedures from 23 civilian Chief Financial Officers Act of 1990 agencies and compared them to key federal cybersecurity risk management practices, obtained agencies' views on challenges they faced, identified and analyzed actions taken by OMB and DHS to determine whether they address agency challenges, and interviewed responsible agency officials.
Recommendations
GAO is making 57 recommendations to the 23 agencies and one to OMB, in coordination with DHS, to assist agencies in addressing challenges. Seventeen agencies agreed with the recommendations, one partially agreed, and four, including OMB, did not state whether they agreed or disagreed. GAO continues to believe all its recommendations are warranted.
Recommendations for Executive Action
Agency Affected | Recommendation | Status |
---|---|---|
Office of Management and Budget | The Director of OMB should, in coordination with the Secretary of Homeland Security, establish guidance or other means to facilitate the sharing of successful approaches for agencies to address challenges in the areas of (1) managing competing priorities between cybersecurity and operations, such as when operational needs appear to conflict with cybersecurity requirements; (2) implementing consistent cybersecurity risk management policies and procedures across an agency; (3) incorporating cyber risks into enterprise risk management, and (4) establishing agencies' cybersecurity risk management strategies. (Recommendation 1) |
The Office of Management and Budget did not say whether or not it concurred with this recommendation. As of March 2024, we had not received information pertaining to this recommendation. Once OMB has provided information, we plan to verify whether implementation has occurred.
|
Department of Agriculture |
Priority Rec.
The Secretary of Agriculture should develop a cybersecurity risk management strategy that includes the key elements identified in this report. (Recommendation 2)
|
In June 2021, in response to our recommendation, the department issued its Cybersecurity Risk Management Strategy. This strategy addressed the key elements, including a statement of the department's risk tolerance and how it intends to assess, respond to, and monitor risk. By developing this strategy, USDA should have a better organization-wide understanding of acceptable risk levels and appropriate risk response strategies to protect its systems and data. Accordingly, we consider this recommendation to be implemented.
|
Department of Agriculture | The Secretary of Agriculture should update the department's policies to require (1) the use of risk assessments to inform security control tailoring and (2) the use of risk assessments to inform plan of actions and milestones (POA&M) prioritization. (Recommendation 3) |
In October 2021, the Department of Agriculture, in response to our recommendation, provided updated policies and procedures that address the missing elements identified in our report. In particular, the updated policies and procedures describe how the department will use risk assessments to inform control tailoring and the prioritization of POA&Ms. By ensuring that its policies address these key elements, the department is better positioned to to effectively identify and prioritize activities to mitigate cybersecurity risks. Accordingly, we consider this recommendation to be implemented.
|
Department of Agriculture |
Priority Rec.
The Secretary of Agriculture should establish and document a process for coordination between cybersecurity risk management and enterprise risk management functions. (Recommendation 4)
|
In October 2023, The Department of Agriculture, in response to our recommendation, provided updated policies and procedures that address coordination between cybersecurity risk management and enterprise risk management functions. In particular, the updated policies and procedures describes USDA's ERM program which includes every Mission Area and Staff Office. The Staff Offices include USDA's Office of the Chief Information Officer (OCIO). Every Mission Area and Staff Office is a part of a process for identifying and elevating risks, including cybersecurity risks. In addition, the Mission Areas and Staff Office's participate in the department's Performance, Evidence, Evaluation, and Risk Committee, which leads the department's ERM function. Accordingly, we consider this recommendation to be implemented. By taking these steps, USDA is better positioned to address significant cybersecurity risks in the context of other risks and their potential impacts on the mission of the agency.
|
Department of Commerce | The Secretary of Commerce should update the department's policies to require (1) an organization-wide cybersecurity risk assessment and (2) the use of risk assessments to inform POA&M prioritization. (Recommendation 5) |
The Department of Commerce did not state whether or not it concurred with this recommendation. As of March 2024, we had not received information pertaining to planned actions for this recommendation. Once the department states that it has taken action, we plan to verify whether implementation has occurred.
|
Department of Commerce |
Priority Rec.
The Secretary of Commerce should establish a process for conducting an organization-wide cybersecurity risk assessment. (Recommendation 6)
|
In April 2021, in response to our recommendation, the department provided evidence that it had established a process for quarterly and annual organization-wide cybersecurity risk assessments, which provide an opportunity for the DOC Office of the Chief Information Officer (OCIO) to improve cybersecurity risk management strategies based on data gathered from Bureaus and organizational units across DOC. This process should help the department identify trends or prioritize investments in cybersecurity risk mitigation activities in order to target widespread or systemic risks to the systems and organization. Accordingly, we consider this recommendation to be implemented.
|
Department of Education |
Priority Rec.
The Secretary of Education should fully develop a cybersecurity risk management strategy that includes the key elements identified in this report. (Recommendation 7)
|
In April 2020, in response to our recommendation, Education updated its cyber risk management framework to address the missing elements identified in our report. The framework now includes a statement of risk tolerance and acceptable risk response strategies. As a result, Education now has a better organization-wide understanding of acceptable risk levels and appropriate risk response strategies to protect their systems and data.
|
Department of Energy |
Priority Rec.
The Secretary of Energy should develop a cybersecurity risk management strategy that includes the key elements identified in this report. (Recommendation 8)
|
The Department of Energy concurred with this recommendation. In March 2022, DOE provided an Enterprise Cybersecurity Program Plan, which officials stated can be used as a template for its departmental elements' programs, and tailored to their needs as necessary. DOE also noted that departmental elements may choose to develop their own cybersecurity program plans, and provided several examples. However, while the Enterprise Cybersecurity Program Plan and its supplemental guidance include key elements such as how risks should be assessed, risk response strategies, and a discussion of risk monitoring, neither it nor most of the departmental element plans we reviewed discuss in detail organizational risk tolerance. As of March 2024, DOE had not provided additional evidence to show that it had incorporated a details of its approach to risk tolerance in its enterprise cybersecurity program plan. We intend to follow up with DOE regarding this recommendation and verify whether implementation has occurred.
|
Department of Energy | The Secretary of Energy should update the department's policies to require (1) an organization-wide cybersecurity risk assessment and (2) the identification of common controls. (Recommendation 9) |
The Department of Energy concurred with this recommendation and has taken steps to implement it. In February 2020, the department sent us its updated policy governing its cybersecurity program. This policy addresses the missing elements by requiring an organization-wide cybersecurity risk assessment and addressing the identification of common controls. Accordingly, we consider this recommendation to be implemented.
|
Department of Health and Human Services |
Priority Rec.
The Secretary of Health and Human Services should develop a cybersecurity risk management strategy that includes the key elements identified in this report. (Recommendation 10)
|
The Department of Health and Human Services concurred with this recommendation. In response to our recommendation, in December 2021, HHS issued its Cybersecurity Risk Management Strategy, Version 1.0. This strategy established a foundation for the department's cybersecurity risk management activities. Further, the strategy addresses the key elements identified in our report. These include a statement of risk tolerance, as well as how the department intends to assess, respond to, and monitor risk. Accordingly, we consider this recommendation to be implemented. By establishing the strategy, HHS will have a better organization-wide understanding of acceptable risk levels and appropriate risk response strategies to protect its systems and data.
|
Department of Health and Human Services | The Secretary of Health and Human Services should update the department's policies to require (1) an organization-wide cybersecurity risk assessment and (2) the use of risk assessments to inform security control tailoring. (Recommendation 11) |
The Department of Health and Human Services partially concurred with this recommendation. In November 2021, the department updated its Policy for Information Security and Privacy Protection. This updated policy requires an organization-wide cybersecurity risk assessment and the use of risk assessments to inform security control tailoring. Accordingly, we consider this recommendation to be implemented. By incorporating these elements in its policies, HHS is better positioned to identify and prioritize activities to mitigate cybersecurity risks.
|
Department of Health and Human Services |
Priority Rec.
The Secretary of Health and Human Services should establish a process for conducting an organization-wide cybersecurity risk assessment. (Recommendation 12)
|
The Department of Health and Human Services concurred with this recommendation. In January 2022, in response to our recommendation, HHS established an organization-wide cybersecurity risk assessment methodology. This assessment is led by HHS's Office of Information Security (OIS) Risk Management Branch, which collects information related to cyber risks from across the department and scores it according to a defined methodology for determining areas of risk, maturity, and improvement across the department. HHS uses this process to track, prioritize, and measure identified risks and identify common trends, threats, or vulnerabilities. Accordingly, we consider this recommendation to be implemented. By establishing this process, HHS will be better positioned to identify trends or prioritize investments in cybersecurity risk mitigation activities in order to target widespread or systemic risks to the systems and organization.
|
Department of Health and Human Services | The Secretary of Health and Human Services should establish and document a process for coordination between cybersecurity risk management and enterprise risk management functions. (Recommendation 13) |
The Department of Health and Human Services concurred with this recommendation and has taken steps to implement it. In February 2020, HHS provided evidence to show that it has established a process for coordination between its cybersecurity risk management and enterprise risk management (ERM) functions. Specifically, the department established an Enterprise Risk Management Council to oversee and coordinate the implementation of ERM, in which the department's Chief Information Security Officer (CISO) was added as a voting member in order to provide perspectives on information security and privacy. Additionally, both the CISO and Chief Information Officer (CIO) attend meetings of the ERM council. Accordingly, we consider this recommendation implemented.
|
Department of Homeland Security |
Priority Rec.
The Secretary of Homeland Security should develop a cybersecurity risk management strategy that includes the key elements identified in this report. (Recommendation 14)
|
The Department of Homeland Security concurred with this recommendation. In March 2021, DHS provided its OCIO Management Cybersecurity Risk Management Strategy, and the strategy addresses the key elements identified in our report. This includes a statement of risk tolerance and how the agency intends to assess, respond to, and monitor risk. Accordingly, we consider this recommendation implemented.
|
Department of Homeland Security |
Priority Rec.
The Secretary of Homeland Security should establish and document a process for coordination between cybersecurity risk management and enterprise risk management functions. (Recommendation 15)
|
The Department of Homeland Security concurred with this recommendation, and in January 2023 provided evidence that it had established such a process. Specifically, DHS established an enterprise risk management (ERM) steering committee to design and inform implementation of DHS's ERM capability. This committee includes senior representation from the DHS Chief Information Officer, who serves as the risk executive under the department's cybersecurity risk management program. Accordingly, we consider this recommendation to be implemented. By establishing this process, DHS is better positioned to ensure that senior leadership responsible for ERM are aware of significant cybersecurity risks and can address them in the context of other risks and their potential impacts on the mission of the agency.
|
Department of Housing and Urban Development |
Priority Rec.
The Secretary of Housing and Urban Developing should develop a cybersecurity risk management strategy that includes the key elements identified in this report. (Recommendation 16)
|
The Department of Housing and Urban Development concurred with this recommendation and has taken steps to implement it. In September 2020, the department issued its Cybersecurity Risk Management Strategy and in May 2021 issued its Office of the Chief Information Officer (OCIO) Enterprise Risk Management Standard Operating Procedure, which provides addition details on how the OCIO will identify, assess, respond, and monitor enterprise risks in order to support HUD's business objectives. Taken together, these documents address the key elements identified in our report. By establishing a strategy that addresses key elements, HUD should have a better organization-wide understanding of acceptable risk levels and appropriate risk response strategies to protect its systems and data.
|
Department of Housing and Urban Development | The Secretary of Housing and Urban Developing should update the department's policies to require the use of risk assessments to inform POA&M prioritization. (Recommendation 17) |
The Department of Housing and Urban Development concurred with this recommendation and has taken steps to implement it. In March 2020, HUD updated its POA&M procedures to include a requirement that considerations of risk inform the prioritization of POA&Ms. Accordingly, we consider this recommendation to be implemented.
|
Department of the Interior |
Priority Rec.
The Secretary of the Interior should develop a cybersecurity risk management strategy that includes the key elements identified in this report. (Recommendation 18)
|
The Department of the Interior concurred with this recommendation and has taken steps to implement it. In June 2020, the department issued its Interior Enterprise Cybersecurity Risk Management Plan, which forms the basis for and outlines the structure of the department's Enterprise Cybersecurity Risk Management Program. This plan includes the elements identified in our report, including a statement of risk tolerance and how the department intends to assess, respond to, and monitor risk. Accordingly, we consider this recommendation to be implemented.
|
Department of the Interior | The Secretary of the Interior should update the department's policies to require an organization-wide cybersecurity risk assessment. (Recommendation 19) |
The Department of the Interior concurred with this recommendation and has taken steps to implement it. In June 2020, the department issued its Enterprise Cybersecurity Risk Management Plan, which forms the basis for and outlines the structure of the Department of the Interior's Enterprise Cybersecurity Risk Management Program. This plan includes a provision for a department-wide assessment of cybersecurity risks. Specifically, the plan states that the Cyber Risk Office is responsible for aggregating risks from all levels, ensuring visibility at various levels of senior management. Accordingly, we consider this recommendation to be implemented.
|
Department of the Interior |
Priority Rec.
The Secretary of the Interior should establish and document a process for coordination between cybersecurity risk management and enterprise risk management functions. (Recommendation 20)
|
The Department of the Interior concurred with this recommendation. In April 2021, in response to our recommendation, the department provided evidence that it had established a process for coordination between its cybersecurity and enterprise risk management (ERM) functions. Specifically, the department established a group including the departmental chief information officer (CIO) and bureau-level CIOs that is responsible for, among other things, raising issues of concern to appropriate senior officials. This includes raising significant IT risks to the department's Chief Risk Officer (CRO), who serves as the principal senior staff member in carrying out ERM responsibilities, such as maintaining a comprehensive portfolio of enterprise risks and providing department leadership with information regarding the status of ERM efforts and management of individual risks. This coordination process should help Interior better address significant cybersecurity risks in the context of other risks and their potential impacts on the mission of the agency. Accordingly, we consider this recommendation to be implemented.
|
Department of Justice |
Priority Rec.
The Attorney General should develop a cybersecurity risk management strategy that includes the key elements identified in this report. (Recommendation 21)
|
In its comments on our draft report, the Department of Justice did not state whether it concurred with this recommendation. In May 2022, in response to our recommendation, DOJ provided evidence that it had developed a cybersecurity risk management strategy that addresses the key elements identified in our report. Specifically, DOJ's strategy comprises multiple strategic documents, which taken together articulate the department's approach to cybersecurity risk tolerance and how it intends to assess, respond to, and monitor risks. Accordingly, we consider this recommendation to be implemented. By establishing the strategy, DOJ should have a better organization-wide understanding of acceptable risk levels and appropriate risk response strategies to protect its systems and data.
|
Department of Justice |
Priority Rec.
The Attorney General should fully establish and document a process for coordination between cybersecurity risk management and enterprise risk management functions. (Recommendation 22)
|
In its comments on our draft report, the Department of Justice did not state whether or not it concurred with this recommendation. However, in April 2022, in response to our recommendation, DOJ provided evidence to show that it had established a process for coordination between its cybersecurity and enterprise risk management (ERM). In particular, DOJ established an Office of the Chief Information Officer enterprise risk management working group, as well as a process for reporting cyber-related risks to its department-wide ERM working group, which provides consolidated risk information to DOJ senior leadership. Accordingly, we consider this recommendation to be implemented.
|
Department of Labor | The Secretary of Labor should update the department's policies to require (1) the use of risk assessments to inform control tailoring and (2) the use of risk assessments to inform POA&M prioritization. (Recommendation 23) |
The Department of Labor concurred with this recommendation. As of March 2024, we had not received information pertaining to this recommendation. Once the department states that it has taken action, we plan to verify whether implementation has occurred.
|
Department of State | The Secretary of State should update the department's policies to require (1) an organization-wide risk assessment, (2) an organization-wide strategy for monitoring control effectiveness, (3) system-level risk assessments, (4) the use of risk assessments to inform security control tailoring, and (5) the use of risk assessments to inform POA&M prioritization. (Recommendation 24) |
The Department of State concurred with this recommendation. In August and September 2023, State provided updated documentation showing that it had incorporated the missing elements into its policies and procedures. Specifically, State's updated policies require cybersecurity risk assessments at the organization level, risk assessments for individual systems, an approach to tailoring security and privacy controls based on risk, and the prioritization of POA&Ms based on risk level. Accordingly, we consider this recommendation to be implemented. By taking these steps, State is better positioned to identify and prioritize activities to mitigate cybersecurity risks that could result in the loss of sensitive data or compromise of agency systems.
|
Department of State |
Priority Rec.
The Secretary of State should establish and document a process for coordination between cybersecurity risk management and enterprise risk management functions. (Recommendation 25)
|
The Department of State concurred with this recommendation and in September 2023 provided evidence that it had established a process for coordination between its cybersecurity and enterprise risk management (ERM) functions. Specifically, State developed a process for escalating cyber risks within the department, including the development of a cyber risk register to capture and communicate these risks. Further, State's Enterprise Governance Board, which is responsible for department-wide ERM, reviews the reported cyber risks for inclusion in the department's enterprise risk register. Accordingly, we consider this recommendation to be implemented. By taking these steps, State is better positioned to address cybersecurity risks in the context of other risks and their potential impacts on the mission of the agency.
|
Department of Transportation |
Priority Rec.
The Secretary of Transportation should fully develop a cybersecurity risk management strategy that includes the key elements identified in this report. (Recommendation 26)
|
The Department of Transportation concurred with this recommendation. As of March 2024, DOT officials stated that they had drafted a departmental cybersecurity strategy and planned to finalize it in the fourth quarter of fiscal year 2024. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.
|
Department of Transportation | The Secretary of Transportation should update the department's policies to require an organization-wide risk assessment. (Recommendation 27) |
The Department of Transportation concurred with this recommendation. The department stated that it would update its policies and procedures to require an organization-wide cybersecurity risk assessment, but as of March 2024, it had not provided these updated policies and procedures or an estimated completion date. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.
|
Department of Transportation |
Priority Rec.
The Secretary of Transportation should fully establish and document a process for coordination between cybersecurity risk management and enterprise risk management functions. (Recommendation 28)
|
In April 2020, in response to our recommendation, the department updates its Information Technology Risk Management standard operating procedure, which describes, among other things, how the department's Office of the Chief Information Officer is to coordinate with the office responsible for enterprise risk management (ERM) functions. This includes the incorporation of cybersecurity and privacy risks into the department's ERM process. Accordingly, senior leadership at Transportation responsible for ERM is in a better position to be fully aware of significant cybersecurity risks and, thus, positioned to address them in the context of other risks and their potential impacts on the mission of the agency.
|
Department of the Treasury |
Priority Rec.
The Secretary of the Treasury should develop a cybersecurity risk management strategy that includes the key elements identified in this report. (Recommendation 29)
|
In March 2021, in response to our recommendation, Treasury finalized its Enterprise Cyber Security Risk Management Strategy. This strategy addresses the key elements identified in our report, including a statement of the department's risk tolerance and how it intends to assess, respond to, and monitor cyber risks. By developing this strategy, Treasury should have a better organization-wide understanding of acceptable risk levels and appropriate risk response strategies to protect its systems and data. Accordingly, we consider this recommendation to be implemented.
|
Department of the Treasury |
Priority Rec.
The Secretary of the Treasury should establish a process for conducting an organization-wide cybersecurity risk assessment. (Recommendation 30)
|
In March 2021, in response to our recommendation, Treasury provided evidence to show that it had developed a process for conducting an organization-wide cybersecurity risk assessment. This includes a consolidated enterprise risk register that includes data from multiple sources to identify cybersecurity risks across the IT enterprise and an analytical system to aggregate data from multiple different sources and score, rank, and prioritize risks to show the most pressing cyber risks across the organization. By establishing such a process, Treasury has enhanced its ability to identify trends or prioritize investments in cybersecurity risk mitigation activities in order to target widespread or systemic risks to the systems and organization. Accordingly, we consider this recommendation to be implemented.
|
Department of the Treasury | The Secretary of the Treasury should establish and document a process for coordination between cybersecurity risk management and enterprise risk management functions. (Recommendation 31) |
In March 2022, in response to our recommendation, Treasury provided evidence that it had addressed this recommendation. Specifically, as part of its enterprise risk management (ERM) framework, Treasury established an ERM Council whose role is to discuss implementation of ERM standards, best practices, and emerging risks across the department's programs and to advise program managers on addressing, reporting, and elevating risks. The ERM Council includes representation from the department's Office of the Chief Information Officer and the Office of Risk Management works with OCIO to develop several of the risks on the Treasury risk profile. By establishing such a process, Treasury is better positioned to consider cybersecurity risks in the context of organization-wide operations and of other key risks facing the department. Accordingly, we consider this recommendation to be implemented.
|
Department of Veterans Affairs |
Priority Rec.
The Secretary of Veterans Affairs should develop a cybersecurity risk management strategy that includes the key elements identified in this report. (Recommendation 32)
|
The Department of Veterans Affairs concurred with this recommendation. In response to our recommendation, in February 2022, VA's Executive Cybersecurity Risk Management Strategy is intended to establish an integrated, enterprise-wide approach for managing cybersecurity risks to VA. This strategy addresses key elements including a discussion of the department's risk tolerance and how it intends to assess, respond to, and monitor risks. By establishing such a strategy, VA should have a better organization-wide understanding of acceptable risk levels and appropriate risk response strategies to protect its systems and data. Accordingly, we consider this recommendation to be implemented.
|
Department of Veterans Affairs | The Secretary of Veterans Affairs should update the department's policies to require an organization-wide cybersecurity risk assessment. (Recommendation 33) |
The Department of Veterans Affairs concurred with this recommendation. In response to our recommendation, VA provided its cybersecurity directive, updated in February 2021, which calls for VA to develop an understanding of enterprise-wide cybersecurity and privacy risks through risk assessments and the sharing of risk information across the department. By ensuring that its policies include key cybersecurity risk management activities, VA enhances its ability to effectively identify and prioritize activities to mitigate cybersecurity risks that could result in the loss of sensitive data or compromise of agency systems. Accordingly, we consider this recommendation to be implemented.
|
Department of Veterans Affairs |
Priority Rec.
The Secretary of Veterans Affairs should establish a process for conducting an organization-wide cybersecurity risk assessment. (Recommendation 34)
|
The Department of Veterans Affairs concurred with this recommendation, and in March 2022, in response to our recommendation, VA provided evidence of processes it had established for conducting organization-wide cyber risk assessments. In particular, VA uses multiple processes and tools to assess cyber risks across its enterprise, including a quantitative enterprise risk analysis that includes a root cause analysis and the use of specific criteria to identify the severity of risks; a cybersecurity architecture review that uses threat assessments to identify needed improvements in the department's cybersecurity capabilities; and enterprise-wide vulnerability scans whose results are populated into department-level reporting systems. Accordingly, we consider this recommendation to be implemented.
|
Department of Veterans Affairs | The Secretary of Veterans Affairs should establish and document a process for coordination between cybersecurity risk management and enterprise risk management functions. (Recommendation 35) |
The Department of Veterans Affairs (VA) concurred with this recommendation, and in September 2021, in response to our recommendation, provided evidence to show that it had established a process for coordination between cybersecurity risk management and enterprise risk management functions. Specifically, VA's Office of Information and Technology (OIT), which houses the VA cybersecurity program, established an enterprise risk management (ERM) program which coordinates with the VA-wide ERM program through mechanisms such as participating in the VA-wide Enterprise Risk Council and developing an OIT Risk Profile which informs the VA-wide risk profile. In addition, the Office of Information Security participates in the ERM Working Group to ensure that cybersecurity and privacy risks and equities are understood and integrated in these processes. By establishing such a process, VA is better positioned to address cybersecurity risks in the context of other risks and their potential impact on agency missions. Accordingly, we consider this recommendation to be implemented.
|
U.S. Agency for International Development | The Administrator of the United States Agency for International Development (USAID) should update the agency's policies to require (1) an organization-wide cybersecurity risk assessment and (2) the use of risk assessments to inform control tailoring. (Recommendation 36) |
USAID concurred with this recommendation and has taken steps to implement it. In December 2019, USAID provided its updated Risk Management Framework Handbook which (1) states that the agency's Chief Information Officer, Senior Agency Official for Privacy, and Chief Information Security Officer are to aggregate system assessments to develop enterprise/organizational risk assessment results to inform the risk management strategies and (2) outlines a process for control tailoring informed by risk considerations. Accordingly, we consider this recommendation to be closed and implemented.
|
U.S. Agency for International Development | The Administrator of USAID should establish a process for conducting an organization-wide cybersecurity risk assessment. (Recommendation 37) |
USAID concurred with this recommendation and has taken steps to implement it. In December 2019, USAID provided evidence that it had established a process for conducting an organization-wide cybersecurity risk assessment. Specifically, the agency developed a dashboard that aggregates cyber indicators for systems from organizations and sub-organizations across the agency. The status of these items are scored according to a standard formulary that allows the agency to provide a score at the system, bureau, and organization levels. These results are briefed to the CIO and allow the agency's CIO organization to prioritize resources as necessary to any problematic areas. Accordingly, we consider this recommendation to be closed and implemented.
|
Environmental Protection Agency |
Priority Rec.
The Administrator of the Environmental Protection Agency (EPA) should fully develop a cybersecurity risk management strategy that includes the key elements identified in this report. (Recommendation 38)
|
In response to our recommendation, in December 2020, EPA provided its updated cybersecurity risk management strategy, which addresses key elements called for in federal guidance. This includes a discussion of the agency's risk tolerance, and how it intends to assess, respond to, and monitor cybersecurity risks on an ongoing basis. By updating its strategy to include all key elements, EPA should enhance its organization-wide understanding of acceptable risk levels and appropriate risk response strategies to protect the agency's systems and data. Accordingly, we consider this recommendation to be implemented.
|
Environmental Protection Agency | The Administrator of EPA should update the agency's policies to require an organization-wide cybersecurity risk assessment. (Recommendation 39) |
EPA has taken steps to implement this recommendation. In May 2020, in response to our recommendation, EPA issued its Information Security Risk Management Strategic Plan. Among other things, the plan discusses how the agency will assess risk at various organizational levels, including providing for an organization-wide cybersecurity risk assessment. The plan requires the Senior Agency Information Security Official to leverage various tools and information to determine system level and, in aggregate, mission- and agency-level cybersecurity risks. By ensuring that its policies include key cybersecurity risk management activities, EPA enhances its ability to effectively identify and prioritize activities to mitigate cybersecurity risks that could result in the loss of sensitive data or compromise of agency systems. Accordingly, we consider this recommendation to be implemented.
|
Environmental Protection Agency |
Priority Rec.
The Administrator of EPA should establish a process for conducting an organization-wide cybersecurity risk assessment. (Recommendation 40)
|
The Environmental Protection Agency did not state whether or not it concurred with this recommendation. As of March 2024, EPA officials stated that they were continuing to plan for an organization-wide cybersecurity risk assessment, but that due to a recent programmatic delay, the planned date of February 2024 had been delayed 6-8 months. EPA officials added that they were in the process of updating an internal procedure to address ongoing risk assessment activities. We are continuing to follow up with EPA to verify whether implementation has occurred.
|
Environmental Protection Agency | The Administrator of EPA should fully establish and document a process for coordination between cybersecurity risk management and enterprise risk management functions. (Recommendation 41) |
The Environmental Protection Agency did not state whether or not it concurred with this recommendation. As of March 2024, EPA provided evidence that it had established an enterprise risk management (ERM) program that includes coordination with cybersecurity. Specifically, EPA established a process, led by its Office of the Chief Financial Officer, for identifying, assessing, and elevating risks to the EPA enterprise. All offices within EPA participate in this process, including IT security functions, led by the Deputy Chief Information Security Officer within EPA's Office of Mission Support. Accordingly, we consider this recommendation to be implemented. By taking these steps, EPA is better positioned to ensure that senior leaders are considering cybersecurity risks in the contexts of other key risks facing the agency.
|
General Services Administration |
Priority Rec.
The Administrator of General Services should designate and document a risk executive function with responsibilities for organization-wide cybersecurity risk management. (Recommendation 42)
|
The General Services Administration concurred with this recommendation and has taken steps to implement it. In June 2020, GSA updated its IT Risk Management Strategy, and the updated strategy designates and documents the agency's risk executive function. Specifically, it states that the risk executive function at GSA is handled by the Enterprise Management Board (EMB), chaired by the Deputy Administrator who is also the Senior Agency Official for Risk Management. Further, For cybersecurity risks, the Chief Information Security Officer (CISO), Authorizing Officials, and subject matter experts facilitate the consistent application of risk management across GSA. The CISO coordinates with the Chief Information Officer, a member of the EMB, to identify cybersecurity risks for consideration by the EMB. Accordingly, we consider this recommendation to be implemented.
|
General Services Administration | The Administrator of General Services should update the agency's policies to require an organization-wide cybersecurity risk assessment. (Recommendation 43) |
The General Services Administration concurred with this recommendation and has taken steps to implement it. In July 2020, GSA provided an updated IT security policy, which requires an organization-wide cybersecurity risk assessment. Specifically, policy states that the risk executive function is responsible for, among other things, determining organizational risk based on the aggregated risk from the operation and use of information systems and the respective environments of operation. Accordingly, we consider this recommendation to be implemented.
|
General Services Administration |
Priority Rec.
The Administrator of General Services should establish a process for conducting an organization-wide cybersecurity risk assessment. (Recommendation 44)
|
The General Services Administration concurred with this recommendation and has taken steps to implement it. In October 2020, GSA provided evidence of a process for aggregating system-level risks and communicating them to the enterprise level. These risks are communicated via regular reports to officials throughout the Agency, including the GSA Administrator. Further, the agency's Enterprise Executive Risk Subcommittee identifies and monitors agency-wide risks facing GSA, coordinating with risk owners to engage with the GSA Enterprise Management Board in risk mitigation and elimination. Accordingly, we consider this recommendation to be implemented.
|
General Services Administration | The Administrator of General Services should fully establish and document a process for coordination between cybersecurity risk management and enterprise risk management functions. (Recommendation 45) |
The General Services Administration concurred with this recommendation and has taken steps to implement it. In June 2020, GSA updated its IT Risk Management Strategy, which includes a process for coordination between cybersecurity risk management and enterprise risk management functions. Specifically, it states that Enterprise Management Board (EMB), chaired by the Deputy Administrator who is also the Senior Agency Official for Risk Management, is responsible for managing and monitoring key organizational risks. Further, the agency's Chief Information Security Officer coordinates with the Chief Information Officer, a member of the EMB, to identify cybersecurity risks for consideration by the EMB. Accordingly, we consider this recommendation to be implemented.
|
National Aeronautics and Space Administration | The Administrator of the National Aeronautics and Space Administration (NASA) should update the agency's policies to require (1) an organization-wide risk assessment and (2) the use of risk assessments to inform POA&M prioritization. (Recommendation 46) |
NASA concurred with this recommendation and provided its updated IT Security Handbook, revised in January 2022, which addresses the missing elements. Specifically, the Handbook provides for an organization-wide risk assessment and the consideration of risk in prioritizing POA&Ms. Accordingly, we consider this recommendation to be implemented. By taking these steps, NASA is better positioned to effectively identify and prioritize activities to mitigate cybersecurity risks that could result in the loss of sensitive data or compromise of agency systems.
|
National Aeronautics and Space Administration |
Priority Rec.
The Administrator of NASA should establish a process for conducting an organization-wide cybersecurity risk assessment. (Recommendation 47)
|
NASA agreed with this recommendation and, In February 2022, in response to our recommendation, the agency provided evidence that it had established a process for aggregating and assessing cyber risk information from across its enterprise. Specifically, NASA uses an agency-wide scorecard to aggregate and assess key cyber risk indicators and provide an enterprise-wide view of its cybersecurity risk. By establishing such a process, NASA is better positioned to identify trends or prioritize investments in cybersecurity risk mitigation activities in order to target widespread or systemic risks to the systems and organization. Accordingly, we consider this recommendation to be implemented.
|
National Science Foundation | The Director of the National Science Foundation should fully develop a cybersecurity risk management strategy that includes the key elements identified in this report. (Recommendation 48) |
NSF concurred with this recommendation and has taken steps to implement it. In December 2019, NSF provided an updated IT Security and Privacy Risk Management Strategy and an updated Information Security and Privacy Continuous Monitoring Program policy. After reviewing these documents, we determined that NSF's updated strategy includes the key elements identified in our report, including a statement of risk tolerance and how the agency intends to assess and monitor risk. Accordingly, we consider this recommendation to be closed and implemented.
|
Nuclear Regulatory Commission |
Priority Rec.
The Chairman of the Nuclear Regulatory Commission (NRC) should develop a cybersecurity risk management strategy that includes the key elements identified in this report. (Recommendation 49)
|
NRC concurred with this recommendation and has taken steps to implement it. In September 2020, NRC issued its Risk Management Strategy, which addresses the key elements identified in our report. Specifically, the strategy includes a statement of the agency's risk tolerance and descriptions of how it intends to assess, respond to, and monitor cyber risks. Accordingly, we consider this recommendation to be implemented.
|
Nuclear Regulatory Commission | The Chairman of NRC should update the agency's policies to require (1) an organization-wide cybersecurity risk assessment and (2) the use of risk assessments to inform POA&M prioritization. (Recommendation 50) |
NRC concurred with this recommendation. In January 2021, NRC provided evidence to show that its updated policies incorporate these two elements. Specifically, its updated policies require an organization-wide risk assessment and the prioritization of POA&Ms based on an assessment of risk. Accordingly, we consider this recommendation to be implemented.
|
Nuclear Regulatory Commission | The Chairman of NRC should establish a process for conducting an organization-wide cybersecurity risk assessment. (Recommendation 51) |
NRC concurred with this recommendation and has taken steps to implement it. Specifically, in December 2019, NRC officials provided documentation showing that the agency had developed a process for an organization-wide cybersecurity risk assessment. The process includes an aggregation of security-related indicators from across the organization and provides an assessment or scoring for each NRC office or region. The assessment is available through an agency dashboard, which displays progress against an agency-developed metric, as well as the quantified risk associated with each office and region. Accordingly, we consider this recommendation closed and implemented.
|
Nuclear Regulatory Commission | The Chairman of NRC should establish and document a process for coordination between cybersecurity risk management and enterprise risk management functions. (Recommendation 52) |
NRC concurred with this recommendation. In February 2021, NRC provided evidence that it established such a process. Specifically, the agency's Enterprise Risk Management Council (ERMC) is responsible for organization-wide efforts to manage risk and advises on the strategically aligned portfolio view of risks for the agency and serves as a strategic advisor on the integration of enterprise risk management practices into the daily business operations and decision-making. The ERMC is advised of all enterprise level risks, including cyber risk, and its membership includes the Chief Risk Officer and Chief Information Officer, among others. Accordingly, we consider this recommendation to be implemented.
|
Office of Personnel Management | The Director of the Office of Personnel Management (OPM) should update the agency's policies to require (1) an organization-wide cybersecurity risk assessment and (2) the use of risk assessments to inform control tailoring. (Recommendation 53) |
OPM concurred with this recommendation and in June 2024 provided its updated Cybersecurity and Privacy Policy, which requires an organization-wide cybersecurity risk assessment and the use of risk assessments to inform control tailoring. Specifically, the policy states that the agency is to conduct risk management activities for enterprise cybersecurity program risks. Further, it states that the agency will conduct periodic reviews to identify controls or test procedures that may be tailored out of the agency's risk management process and that the way these controls are to implemented depends on the risks, sensitivity, and criticality associated with the specific systems and data involved. Accordingly, we consider this recommendation to be implemented. By taking these steps, OPM is better positioned to to effectively identify and prioritize activities to mitigate cybersecurity risks.
|
Office of Personnel Management |
Priority Rec.
The Director of OPM should establish a process for conducting an organization-wide cybersecurity risk assessment. (Recommendation 54)
|
OPM concurred with this recommendation and in June 2024 provided evidence that it has established a process for conducting organization-wide cybersecurity assessments. In particular, OPM's Cybersecurity Risk Management Strategy details roles and responsibilities and the processes the agency uses to assess cybersecurity risks. OPM stated that its approach to organization-wide risk assessments involves a targeted approach that focuses on specific areas of concern. For example, OPM provided reports on the results of assessments it had conducted related to supply chain management and "Internet of Things" devices. OPM stated that its risk assessments are conducted annually based on direction from the Chief Information Security Officer, Chief Information Officer, or as requested by its Risk Management Councill (RMC). Accordingly, we consider this recommendation to be implemented. By taking these steps, the agency is better positioned to identify trends or prioritize investments in cybersecurity risk mitigation activities in order to target widespread or systemic risks to the systems and organization.
|
Small Business Administration | The Administrator of the Small Business Administration (SBA) should fully develop a cybersecurity risk management strategy that includes the key elements identified in this report. (Recommendation 55) |
SBA concurred with this recommendation and has taken steps to implement it. In March 2020, SBA provided its updated risk management framework implementation procedures. These procedures address the missing elements, such as a statement of risk tolerance and acceptable risk response strategies. Accordingly, we consider this recommendation closed and implemented.
|
Small Business Administration | The Administrator of SBA should update the agency's policies to require (1) an organization-wide cybersecurity risk assessment and (2) the use of risk assessments to inform POA&M prioritization. (Recommendation 56) |
In March 2020, in response to our recommendation, SBA updated its Risk Management Framework implementation procedures to require an organization-wide cybersecurity risk assessment and the use of risk assessments to inform POA&M prioritization. Accordingly, SBA has taken the foundational steps needed to effectively identify and prioritize activities to mitigate cybersecurity risks that could result in the loss of sensitive data or compromise of agency systems.
|
Small Business Administration |
Priority Rec.
The Administrator of SBA should establish a process for conducting an organization-wide cybersecurity risk assessment. (Recommendation 57)
|
SBA concurred with this recommendation and has taken steps to implement it. Specifically, in response to our recommendation the agency developed a process for an organization-wide cybersecurity risk assessment and in January 2021 provided evidence of this process. The process includes aggregating risks from various internal and external data sources, scoring them according a defined risk assessment methodology, and identifying key agency-wide risks which are reported to agency leadership along with recommended actions for remediation. Accordingly, we consider this recommendation to be implemented.
|
Social Security Administration |
Priority Rec.
The Commissioner of the Social Security Administration should fully establish and document a process for coordination between cybersecurity risk management and enterprise risk management functions. (Recommendation 58)
|
SSA concurred with this recommendation. In March 2021, in response to our recommendation, SSA provided evidence that it had established a coordination process between its cybersecurity and enterprise risk management (ERM) functions. Specifically, the agency established an ERM council to provide governance for the agency's ERM function. The membership of this council includes among others, the agency's Chief Information Officer and Chief Information Security Officer, and the latter official serves as the agency's cybersecurity risk executive. This coordination should better position SSA to address significant cybersecurity risks in the context of other risks and their potential impacts on the mission of the agency. Accordingly, we consider this recommendation to be implemented.
|