Watching Out for Federal Cybersecurity

The federal government relies on computer networks and systems to provide essential services affecting the health, economy, and defense of the nation. Incidents of hacking or cyber attacks place sensitive information at risk, with potentially serious effects on federal and military operations; critical infrastructure; and government, private sector, and individual privacy. The Department of Homeland Security has designated October as National Cybersecurity Awareness Month. To mark the month, we are highlighting some of our findings on federal cybersecurity efforts. Cyber Incidents are Increasing We found that federal agencies reported 782 percent more cybersecurity incidents to the U.S. Computer Emergency Readiness Team in 2012 than in 2006. The dramatic rise in the number of incidents can be seen in the graphic below.

Excerpted from GAO-13-187

Cybersecurity Gaps Put Information at Risk Increasing numbers of cyber incidents and challenges in effectively implementing cybersecurity measures have led us to put the protection of federal information systems on our High Risk list. In the latest update, we noted that most of the 24 major federal agencies had information security weaknesses in key control categories, including:

limiting, preventing, and detecting inappropriate access to computer resources;
planning for continuity of operations in the event of a disaster or disruption; and
implementing information security management programs.

Excerpted from GAO-13-283

Other gaps in cybersecurity that we have identified include:

Information technology supply chain issues at the Departments of Energy, Homeland Security, Justice, and Defense;
Security control weaknesses in the Environmental Protection Agency’s information systems; and
Management and other security control issues with the Federal Communications Commission’s network security project.

Agency Responses to Cyber Incidents In cases involving personally identifiable information, and generally, we found that agencies are not responding to cyber incidents consistently or effectively. Some response strategies we recommended include:

Documenting risk levels and the number of affected individuals for data breaches;
Offering credit monitoring to affected individuals;
Documenting lessons learned from breach responses;
Testing incident response capabilities; and
Developing or clarifying policies, plans, and procedures for incident response.

We found that without complete policies, plans, and procedures, along with appropriate oversight of response activities, agencies can’t be certain that their responses will be effective.

Questions about the content of this post? Contact Greg Wilshusen at wilshuseng@gao.gov.
Comments on the GAO WatchBlog? Contact blog@gao.gov.

GAO's mission is to provide Congress with fact-based, nonpartisan information that can help improve federal government performance and ensure accountability for the benefit of the American people. GAO launched its WatchBlog in January, 2014, as part of its continuing effort to reach its audiences—Congress and the American people—where they are currently looking for information.

The blog format allows GAO to provide a little more context about its work than it can offer on its other social media platforms. Posts will tie GAO work to current events and the news; show how GAO’s work is affecting agencies or legislation; highlight reports, testimonies, and issue areas where GAO does work; and provide information about GAO itself, among other things.

Please send any feedback on GAO's WatchBlog to blog@gao.gov.

< WatchBlog: Following the Federal Dollar