Information Security

Jump To:
Image

Open Recommendations

Cloud Security: Selected Agencies Need to Fully Implement Key Practices

GAO-23-105482
May 18, 2023
Show
35 Open Recommendations
Agency Affected Recommendation Status
Department of Agriculture The Secretary of Agriculture should ensure that the agency fully documents the access authorizations for its selected PaaS system. (Recommendation 1)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Agriculture The Secretary of Agriculture should ensure that the agency fully implements continuous monitoring for its selected PaaS system, to include reviewing the continuous monitoring deliverables from the CSP and committing to a time frame to review audit logs. (Recommendation 2)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Agriculture The Secretary of Agriculture should ensure that the agency fully implements continuous monitoring for its selected SaaS system 1, to include reviewing the continuous monitoring deliverables from the CSP and committing to a time frame to review audit logs. (Recommendation 3)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Agriculture The Secretary of Agriculture should ensure that the agency fully implements continuous monitoring for its selected SaaS system 2, to include reviewing the continuous monitoring deliverables from the CSP. (Recommendation 4)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Agriculture The Secretary of Agriculture should ensure that the agency's service level agreements with CSPs define performance metrics, including how they are measured and the enforcement mechanisms. (Recommendation 5)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Agriculture The Secretary of Agriculture should ensure that the agency provides the authorization letter to the FedRAMP PMO for its selected SaaS system 2. (Recommendation 6)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Cybersecurity: DOT Defined Roles and Responsibilities, but Additional Oversight Needed

GAO-23-106031
May 15, 2023
Show
3 Open Recommendations
Agency Affected Recommendation Status
Department of Transportation The Secretary of Transportation should direct the DOT CIO to leverage its IT program reviews to address recommendations that have not yet been implemented from prior year DOT OIG FISMA reports. (Recommendation 1)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Transportation The Secretary of Transportation should direct the DOT CIO to collaborate with human resources officials to develop and implement a policy requiring that OA senior IT managers' performance plans include cybersecurity-related performance expectations. (Recommendation 2)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Transportation The Secretary of Transportation should ensure that the DOT CIO participates in the performance reviews of OA CIO equivalents. (Recommendation 3)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Critical Infrastructure: Actions Needed to Better Secure Internet-Connected Devices

GAO-23-105327
Dec 01, 2022
Show
9 Open Recommendations
Agency Affected Recommendation Status
Department of Energy The Secretary of Energy, as SRMA for the energy sector, should direct the Director of the Office of Cybersecurity, Energy Security, and Emergency Response to use the National Plan to develop a sector-specific plan that includes metrics for measuring the effectiveness of their efforts to enhance the cybersecurity of their sector's IoT and OT environments. (Recommendation 1)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Energy The Secretary of Energy, as SRMA for the energy sector, should direct the Director of the Office of Cybersecurity, Energy Security, and Emergency Response to include IoT and OT devices as part of the risk assessments of their sector's cyber environment. (Recommendation 2)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Health and Human Services The Secretary of Health and Human Services, as SRMA for the healthcare and public health sector, should direct the Assistant Secretary for Preparedness and Response to use the National Plan to develop a sector-specific plan that includes metrics for measuring the effectiveness of their efforts to enhance the cybersecurity of their sector's IoT and OT environments. (Recommendation 3)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Health and Human Services The Secretary of Health and Human Services, as SRMA for the healthcare and public health sector, should direct the Assistant Secretary for Preparedness and Response to include IoT and OT devices as part of the risk assessments of their sector's cyber environment. (Recommendation 4)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Homeland Security The Secretary of Homeland Security should direct the Administrator of the Transportation Security Administration and the Commandant of the U.S. Coast Guard to jointly work with the Department of Transportation's Office of Intelligence, Security and Emergency Response, as co-SRMAs for the transportation systems sector, to use the National Plan to develop a sector-specific plan that includes metrics for measuring the effectiveness of their efforts to enhance the cybersecurity of their sector's IoT and OT environments. (Recommendation 5)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Homeland Security The Secretary of Homeland Security should direct the Administrator of the Transportation Security Administration and the Commandant of the U.S Coast Guard to jointly work with the Department of Transportation's Office of Intelligence, Security and Emergency Response, as co-SRMAs for the transportation systems sector, to include IoT and OT devices as part of the risk assessments of their sector's cyber environment. (Recommendation 6)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Cybersecurity: Secret Service Has Made Progress Toward Zero Trust Architecture, but Work Remains

GAO-23-105466
Nov 15, 2022
Show
1 Open Recommendations
Agency Affected Recommendation Status
United States Secret Service The Director of the Secret Service should instruct the agency's chief information officer to implement outstanding Office of Management and Budget requirements for transitioning to IPv6, particularly in regard to upgrading its public-facing systems. (Recommendation 1)
Open
As of January 2023, Secret Service has not provided sufficient evidence to close this recommendation. We will continue to follow-up with the agency.
GAO Contacts