Skip to main content

Information Security: Significant Progress Made, but CDC Needs to Take Further Action to Resolve Control Deficiencies and Improve Its Program

GAO-19-70 Published: Dec 20, 2018. Publicly Released: Dec 20, 2018.
Jump To:

Fast Facts

IT systems at the Centers for Disease Control and Prevention are critical to securing sensitive data about the nation's health.

In June 2018, we reported numerous deficiencies in CDC's information security program and controls that CDC used to identify risk, protect systems, detect and respond to cybersecurity events, and recover operations after such events. These deficiencies place sensitive information at higher risk of unauthorized disclosure, modification, or interruption.

Since then, CDC has made significant progress bolstering its security by implementing 102 of our 195 recommendations and plans to address many more by September 2019.

CDC is addressing open technical control and information security recommendations

Line graph showing decline in number of open recommendations, with 93 open as of August 2018 and continued decline through 2020

Line graph showing decline in number of open recommendations, with 93 open as of August 2018 and continued decline through 2020

Skip to Highlights

Highlights

What GAO Found

As GAO reported in June 2018, the Centers for Disease Control and Prevention (CDC) implemented technical controls and an information security program that were intended to safeguard the confidentiality, integrity, and availability of its information systems and information. However, GAO identified control and program deficiencies in the core security functions related to identifying risk, protecting systems from threats and vulnerabilities, detecting and responding to cyber security events, and recovering system operations (see table below). GAO made 195 recommendations to address these deficiencies.

Number of GAO-Identified Technical Control and Information Security Program Deficiencies at the Centers for Disease Control and Prevention and Associated Recommendations by Core Security Function

 

Core security function

Number of technical control deficiencies

Number of technical control recommendations

Number of information security program deficiencies

Number of information security program recommendations

Identify

0

0

5

5

Protect

85

161

1

1

Detect

8

18

3

3

Respond

1

5

1

1

Recover

0

0

1

1

Total

94

184

11

11

Source: GAO. | GAO-19-70

As of August 2018, CDC had made significant progress in resolving many of the security deficiencies by implementing 102 of 184 (about 55 percent) technical control recommendations, and partially implementing 1 of 11 information security program recommendations made in the June 2018 report. The figure shows the status of CDC's efforts to implement the 195 recommendations.

Status of GAO Recommendations to the Centers for Disease Control and Prevention Number of GAO-Identified Technical Control and Information Security Program Deficiencies at the Centers for Disease Control and Prevention and Associated Recommendations by Core Security Function

Additionally, CDC has created remedial action plans to implement the majority of the remaining open recommendations by September 2019. Until CDC implements these recommendations and resolves the associated deficiencies, its information systems and information will remain at increased risk of misuse, improper disclosure or modification, and destruction.

Why GAO Did This Study

CDC is responsible for detecting and responding to emerging health threats and controlling dangerous substances. In carrying out its mission, CDC relies on information technology systems to receive, process, and maintain sensitive data. Accordingly, effective information security controls are essential to ensure that the agency's systems and information are protected from misuse and modification.

GAO was asked to examine information security at CDC. In June 2018, GAO issued a limited official use only report on the extent to which CDC had effectively implemented technical controls and an information security program to protect the confidentiality, integrity, and availability of its information on selected information systems.

This current report is a public version of the June 2018 report. In addition, for this public report, GAO determined the extent to which CDC has taken corrective actions to address the previously identified security program and technical control deficiencies and related recommendations for improvement. For this report, GAO reviewed supporting documents regarding CDC's actions on previously identified recommendations and interviewed personnel at CDC.

For more information, contact Gregory C. Wilshusen at (202) 512-6244 or wilshuseng@gao.gov, or Dr. Nabajyoti Barkakati at (202) 512-4499 or barkakatin@gao.gov.

Full Report

GAO Contacts

Gregory C. Wilshusen
Director
Information Technology and Cybersecurity

Media Inquiries

Sarah Kaczmarek
Managing Director
Office of Public Affairs

Public Inquiries

Topics

CybersecurityInformation securityInformation systemsInformation technologyInternal controlsPolicies and proceduresPrivacyPublic healthRisk assessmentSecurity incidentsUnauthorized access