Skip to main content

Information Security

Jump To:

Recent Reports

View More Reports

Open Recommendations

Coast Guard: Additional Efforts Needed to Address Cybersecurity Risks to the Maritime Transportation System
GAO-25-107244
Feb 11, 2025
Show
5 Open Recommendations
Agency Affected Recommendation Status
United States Coast Guard The Commandant of the Coast Guard should develop and implement documented procedures to ensure the accuracy of cybersecurity incident information that the service identifies and tracks. (Recommendation 1)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
United States Coast Guard The Commandant of the Coast Guard should ensure that its case management system for facility and vessel security inspections provides ready access to complete data on specific cybersecurity deficiencies identified during those inspections. (Recommendation 2)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
United States Coast Guard The Commandant of the Coast Guard should ensure its cybersecurity strategy and plans address the key characteristics of an effective national strategy, including a full assessment of cybersecurity risks to the MTS. (Recommendation 3)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
United States Coast Guard The Commandant of the Coast Guard should develop future competency needs for all of the service's personnel with MTS cyber responsibilities for mitigating cyber risks to the MTS and analyze the gaps between current competencies and future needs. (Recommendation 4)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
United States Coast Guard The Commandant of the Coast Guard should, using the gap analysis of current and future competency needs for personnel with MTS cyber risk mitigation responsibilities, address any gaps in competencies, such as through training. (Recommendation 5)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Internet of Things: Federal Actions Needed to Address Legislative Requirements
GAO-25-107179
Dec 04, 2024
Show
11 Open Recommendations
Agency Affected Recommendation Status
Office of Management and Budget The Director of OMB should verify agency-reported IoT cybersecurity waivers. (Recommendation 1)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Education The Secretary of Education should direct the CIO to complete the covered IoT inventory within the revised time frame it has proposed. (Recommendation 2)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Health and Human Services The Secretary of HHS should direct the CIO to complete the covered IoT inventory within the revised time frame it has proposed. (Recommendation 3)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Labor The Secretary of Labor should direct the CIO to establish a plan and time frame for completing the covered IoT inventory, as directed by OMB. (Recommendation 4)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Veterans Affairs The Secretary of Veterans Affairs should direct the CIO to establish a plan and time frame for completing the covered IoT inventory, as directed by OMB. (Recommendation 5)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Environmental Protection Agency The Administrator of the Environmental Protection Agency should direct the CIO to complete the covered IoT inventory within the revised time frame it has proposed. (Recommendation 6)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Future of Cybersecurity: Leadership Needed to Fully Define Quantum Threat Mitigation Strategy
GAO-25-107703
Nov 21, 2024
Show
1 Open Recommendations
Agency Affected Recommendation Status
Office of the National Cyber Director The National Cyber Director should (1) lead the coordination of the national quantum computing cybersecurity strategy and (2) ensure that the strategy's various documents address all the desirable characteristics of a national strategy. (Recommendation 1)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Critical Infrastructure Protection: EPA Urgently Needs a Strategy to Address Cybersecurity Risks to Water and Wastewater Systems
GAO-24-106744
Aug 01, 2024
Show
4 Open Recommendations
Agency Affected Recommendation Status
Environmental Protection Agency The Administrator of EPA should, as required by law, conduct a water sector risk assessment, considering physical security and cybersecurity threats, vulnerabilities, and consequences. (Recommendation 1)
Open
In its comments on the report, EPA stated that it concurs with this recommendation. It will develop a risk assessment and risk management plan that address cybersecurity in accordance with the National Security Memorandum on Critical Infrastructure Security and Resilience published in April 2024.
Environmental Protection Agency The Administrator of EPA should develop and implement a risk-informed cybersecurity strategy, in coordination with other federal and sector stakeholders, to guide its water sector cybersecurity programs. Such a strategy should include information from a risk assessment and should identify objectives, activities, and performance measures; roles, responsibilities, and coordination; and needed resources and investments. (Recommendation 2)
Open
In its comments on the report, EPA said it concurs with the recommendation and will develop a water sector risk assessment and risk management plan that address cybersecurity in accordance with the National Security Memorandum on Critical Infrastructure Security and Resilience, published April 2024.
Environmental Protection Agency The Administrator of EPA should evaluate its existing legal authorities for carrying out EPA's cybersecurity responsibilities and seek any needed enhancements to such authorities from the administration and Congress. (Recommendation 3)
Open
In its comments on the report, EPA stated that it concurs with this recommendation. It also said that it had already conducted a thorough examination of and provided technical assistance to Congress on existing legal authorities with respect to EPA cybersecurity responsibility. Further, the agency committed to providing a detailed explanation of its examination of legal authorities as part of the risk management plan, to be completed in 2025. Until this explanation is completed and available, however, GAO cannot assess the degree to which EPA has examined its legal authorities. GAO will continue to follow up on this recommendation.
Environmental Protection Agency The Administrator of EPA should submit the Vulnerability Self-Assessment Tool (VSAT) for independent peer review and revise the tool as appropriate. (Recommendation 4)
Open
In its comments on the report, EPA stated that it concurs with this recommendation. It said it will submit the VSAT tool for independent peer review and revise the tool as appropriate. EPA estimated the review will begin in November 2024. GAO will follow up on the status of this recommendation.
View More Recommendations

Related Pages

GAO Contacts

View More Contacts