Image

Information Security

Recent Reports

Cybersecurity: Federal Agencies Made Progress, but Need to Fully Implement Incident Response Requirements

Published: Dec 04, 2023

Publicly Released: Dec 04, 2023

Federal Grants: Numerous Programs Provide Cybersecurity Support to State, Local, Tribal, and Territorial Governments

Published: Nov 16, 2023.

Publicly Released: Nov 16, 2023.

Cybersecurity: State Needs to Expeditiously Implement Risk Management and Other Key Practices

Published: Sep 28, 2023.

Publicly Released: Sep 28, 2023.

Critical Infrastructure Protection: National Cybersecurity Strategy Needs to Address Information Sharing Performance Measures and Methods

Published: Sep 26, 2023

Publicly Released: Sep 26, 2023

Homeland Security: Office of Intelligence and Analysis Should Improve Privacy Oversight and Assessment of Its Effectiveness

Published: Aug 28, 2023.

Publicly Released: Sep 12, 2023.

Security of Taxpayer Information: IRS Needs to Address Critical Safeguard Weaknesses

Published: Aug 14, 2023.

Publicly Released: Sep 11, 2023.

View More Reports

Open Recommendations

Cybersecurity: Federal Agencies Made Progress, but Need to Fully Implement Incident Response Requirements

Show

20 Open Recommendations

Agency Affected	Recommendation	Status
Cybersecurity and Infrastructure Security Agency	The Director of CISA should ensure that when the agency updates the Federal Government Cybersecurity Incident & Vulnerability Response Playbooks that it provides additional detail to federal agencies on COOP planning and includes the requirement to provide both primary and secondary points of contact to CISA. (Recommendation 1)	Open When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Commerce	The Secretary of Commerce should ensure that the agency fully implements all event logging requirements as directed by OMB guidance. (Recommendation 2)	Open When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Education	The Secretary of Education should ensure that the agency fully implements all event logging requirements as directed by OMB guidance. (Recommendation 3)	Open When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Energy	The Secretary of Energy should ensure that the agency fully implements all event logging requirements as directed by OMB guidance. (Recommendation 4)	Open When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Health and Human Services	The Secretary of Health and Human Services should ensure that the agency fully implements all event logging requirements as directed by OMB guidance. (Recommendation 5)	Open When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Homeland Security	The Secretary of Homeland Security should ensure that the agency fully implements all event logging requirements as directed by OMB guidance. (Recommendation 6)	Open When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Critical Infrastructure Protection: National Cybersecurity Strategy Needs to Address Information Sharing Performance Measures and Methods

Show

2 Open Recommendations

Agency Affected	Recommendation	Status
Office of the National Cyber Director	The National Cyber Director should identify outcome-oriented performance measures for the eight cyber threat information sharing initiatives that are included in the National Cybersecurity Strategy Implementation Plan. (Recommendation 1)	Open When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Cybersecurity and Infrastructure Security Agency	The Director of CISA, in coordination with the 14 agencies, should conduct a comprehensive assessment of whether the current mix of centralized and federated sharing methods used by the agencies is the optimal approach to addressing the cyber threat sharing challenges—including whether existing sharing methods should be retired in favor of centralized or federated approaches. (Recommendation 2)	Open When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Security of Taxpayer Information: IRS Needs to Address Critical Safeguard Weaknesses

Show

16 Open Recommendations

Agency Affected	Recommendation	Status
Congress	Congress should consider providing IRS with direct statutory authority to inspect receiving agencies' safeguards for taxpayer information shared under subsection 6103(c) of the Internal Revenue Code. (Matter for Consideration 1)	Open When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Internal Revenue Service	The Commissioner for Internal Revenue should officially assign the Human Capital Office responsibility for monitoring contractor training completion rates for courses related to protecting taxpayer information and ensure this role and responsibility is documented. (Recommendation 1)	Open When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Internal Revenue Service	The Commissioner for Internal Revenue should ensure that the Human Capital Office establish and document an agency-wide training completion goal for annual mandatory contractor training related to protecting taxpayer information. (Recommendation 2)	Open When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Internal Revenue Service	The Commissioner for Internal Revenue should ensure that the Human Capital Office monitor contractor training completion rates for courses related to protecting taxpayer information and take actions to ensure contractors complete training, such as sharing completion rates with contracting officer representatives (COR) and other appropriate offices. (Recommendation 3)	Open When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Internal Revenue Service	The Commissioner for Internal Revenue should ensure that the Enterprise Contract Oversight Center and other appropriate offices develop guidance for CORs on the process of documenting and reporting UNAX and unauthorized disclosure incidents, including processes for cases that are substantiated. (Recommendation 4)	Open When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Internal Revenue Service	The Commissioner for Internal Revenue should ensure that the Enterprise Contract Oversight Center and other appropriate offices develop training for CORs on the process of documenting and reporting UNAX and unauthorized disclosure incidents, including processes for cases that are substantiated. (Recommendation 5)	Open When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Cybersecurity Workforce: National Initiative Needs to Better Assess Its Performance

Show

8 Open Recommendations

Agency Affected	Recommendation	Status
National Institute of Standards and Technology	The Director of NIST should ensure that the Director of NICE develops a program performance plan with goals that are measurable. (Recommendation 1)	Open When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
National Institute of Standards and Technology	The Director of NIST should ensure that the Director of NICE updates the program's environmental scan documentation to include an assessment of how the outcomes and impacts of the identified programs, projects, and initiatives may affect the program's achievement of its performance plan and the strategic plan goals. (Recommendation 2)	Open When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
National Institute of Standards and Technology	The Director of NIST should ensure that the Director of NICE assesses and justifies the resources that the program requires to achieve its performance plan and the strategic plan goals. (Recommendation 3)	Open When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
National Institute of Standards and Technology	The Director of NIST should ensure that the Director of NICE establishes performance measures with a plan to collect the data needed to assess progress toward each performance goal. (Recommendation 4)	Open When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
National Institute of Standards and Technology	The Director of NIST should ensure that the Director of NICE regularly collects program performance information that is measurable, timely, accurate, and useful. (Recommendation 5)	Open When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
National Institute of Standards and Technology	The Director of NIST should ensure the Director of NICE reports measurable program performance information to stakeholders. (Recommendation 6)	Open When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

View More Recommendations

GAO Contacts

Vijay A. D'Souza

Director

dsouzav@gao.gov

Nick Marinos

Managing Director

MarinosN@gao.gov

William Russell

Director

russellw@gao.gov

Jennifer Franks

Director

franksj@gao.gov

David (Dave) Hinchman

Director

HinchmanD@gao.gov

Marisol Cruz Cain

Director

cruzcainm@gao.gov