Image

Information Security

Open Recommendations

Personnel Vetting: DOD Needs to Enhance Cybersecurity of Background Investigation Systems

Show

13 Open Recommendations

Agency Affected	Recommendation	Status
Department of Defense	The Secretary of Defense, in coordination with the DCSA Director, should ensure DCSA's Chief Information Officer identifies and documents all stages of the information life cycle for each information type the system processes, stores, or transmits. (Recommendation 1)	Open When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Defense	The Secretary of Defense, in coordination with the DCSA Director, should ensure DCSA's Chief Information Officer fully defines, prioritizes, and documents security and privacy requirements. (Recommendation 2)	Open When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Defense	The Secretary of Defense, in coordination with the DCSA Director, should ensure DCSA's Chief Information Officer completes an organization-wide risk assessment and documents the results. (Recommendation 3)	Open When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Defense	The Secretary of Defense, in coordination with the DCSA Director, should ensure DCSA's Chief Information Officer completes system-level risk assessments and documents the results. (Recommendation 4)	Open When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Defense	The Secretary of Defense, in coordination with the DCSA Director, should ensure DCSA's Chief Information Officer allocates security and privacy requirements to the system and to the environment in which the system operates and documents the results. (Recommendation 5)	Open When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Defense	The Secretary of Defense, in coordination with the DCSA Director, should ensure DCSA's Chief Information Officer establishes an oversight process to ensure senior officials complete all tasks in the risk management framework's prepare step. (Recommendation 6)	Open When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

NASA Cybersecurity: Plan Needed to Update Spacecraft Acquisition Policies and Standards

Show

1 Open Recommendations

Agency Affected	Recommendation	Status
National Aeronautics and Space Administration	The NASA Administrator should ensure that the Chief Engineer, the Chief Information Officer, and the Principal Advisor for Enterprise Protection develop an implementation plan with time frames to update its spacecraft acquisition policies and standards to incorporate essential controls required to protect against cyber threats. (Recommendation 1)	Open When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Cybersecurity: Implementation of Executive Order Requirements is Essential to Address Key Actions

Show

5 Open Recommendations

Agency Affected	Recommendation	Status
Department of Homeland Security	The Secretary of Homeland Security should direct the Director of CISA to issue, in a timely manner, its list of software and software product categories that are considered critical software. (Recommendation 1)	Open When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Homeland Security	The Secretary of Homeland Security, through the Director of the CISA, should direct the Cyber Safety Review Board to document steps taken or planned to implement the recommendations provided to the President for improving the board's operations. (Recommendation 2)	Open When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Office of Management and Budget	The Director of OMB should demonstrate that the office has conducted, with pertinent federal agencies, cost analyses for the implementation of recommendations related to the sharing of threat information, as defined in the order. (Recommendation 3)	Open When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Office of Management and Budget	The Director of OMB should demonstrate that the office has coordinated with pertinent federal agencies regarding resourcing needs for the implementation of an endpoint detection and response capability, as defined in the order. (Recommendation 4)	Open When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Office of Management and Budget	The Director of OMB should demonstrate that the office has coordinated with pertinent federal agencies regarding resourcing needs for logging, log retention, and log management capabilities, as defined in the order. (Recommendation 5)	Open When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Cybersecurity: Improvements Needed in Addressing Risks to Operational Technology

Show

4 Open Recommendations

Agency Affected	Recommendation	Status
Cybersecurity and Infrastructure Security Agency	The Director of CISA should (1) measure customer service for all of its OT products and services and (2) use the results of such measures to make improvements to the products and services. (Recommendation 1)	Open When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Cybersecurity and Infrastructure Security Agency	The Director of CISA should (1) develop OT competency and staffing requirements, (2) assess OT competency and staffing gaps, and (3) develop strategies for filling any gaps. (Recommendation 2)	Open When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Cybersecurity and Infrastructure Security Agency	The Director of CISA should issue guidance on how SRMAs should update sector-specific plans that reflects the five selected leading collaboration practices when agencies are mitigating cyber OT risks. (Recommendation 3)	Open When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Cybersecurity and Infrastructure Security Agency	The Director of CISA should (1) develop an agency-wide policy on agreements with SRMAs regarding collaboration to mitigate OT risks and (2) implement that policy with the selected agencies. (Recommendation 4)	Open When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

View More Recommendations

GAO Contacts

Vijay A. D'Souza

Director

dsouzav@gao.gov

Nick Marinos

Managing Director

MarinosN@gao.gov

William Russell

Director

russellw@gao.gov

Jennifer Franks

Director

franksj@gao.gov

David (Dave) Hinchman

Director

HinchmanD@gao.gov

Marisol Cruz Cain

Director

cruzcainm@gao.gov