Skip to main content

Information Security

Jump To:

Recent Reports

View More Reports

Open Recommendations

Cybersecurity: NASA Needs to Fully Implement Risk Management
GAO-25-108138
Jun 25, 2025
Show
16 Open Recommendations
Agency Affected Recommendation Status
National Aeronautics and Space Administration The NASA Administrator should ensure that NASA's Chief Information Officer prepares and approves an organization-wide cybersecurity risk assessment. (Recommendation 1)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
National Aeronautics and Space Administration The NASA Administrator should direct NASA's Chief Information Officer to ensure that the documented impact levels for confidentiality, integrity, and availability for all systems match the risk of the system, and that any changes to the provisional impact levels are fully justified in accordance with NASA policy. (Recommendation 2)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
National Aeronautics and Space Administration The NASA Administrator should direct NASA's Chief Information Officer to update its guidance to include oversight responsibilities for ensuring NASA-defined control baselines are properly applied when baselines are updated. (Recommendation 3)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
National Aeronautics and Space Administration The NASA Administrator should direct NASA's Chief Information Officer to update its policies to provide more specific guidance about how to document assessment results for all types of critical controls including inherited controls. (Recommendation 4)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
National Aeronautics and Space Administration The NASA Administrator should direct NASA's Chief Information Officer to ensure that all critical controls for the first system found to be unsatisfied during security control assessments include recommendations and a residual risk level. (Recommendation 5)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
National Aeronautics and Space Administration The NASA Administrator should direct NASA's Chief Information Officer to ensure that all critical controls for the second system found to be unsatisfied during security control assessments include recommendations and a residual risk level. (Recommendation 6)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Cybersecurity: Network Monitoring Program Needs Further Guidance and Actions
GAO-25-107470
Jun 11, 2025
Show
4 Open Recommendations
Agency Affected Recommendation Status
Department of Homeland Security The Secretary of Homeland Security should direct the Director of the Cybersecurity and Infrastructure Security Agency to issue guidance to help facilitate agencies' implementation of the network security management and data protection management capabilities within the CDM program. (Recommendation 1)
Open
As of June 2025, DHS has not provided sufficient evidence to close this recommendation. We will continue to follow-up with the agency.
Department of Homeland Security The Secretary of Homeland Security should direct the Director of the Cybersecurity and Infrastructure Security Agency to develop milestones for addressing data quality issues on an ongoing basis. (Recommendation 2)
Open
As of June 2025, DHS has not provided sufficient evidence to close this recommendation. We will continue to follow-up with the agency.
Department of Homeland Security The Secretary of Homeland Security should direct the Director of the Cybersecurity and Infrastructure Security Agency to work with the 23 civilian Chief Financial Officers Act agencies to ensure that willing agencies are onboarded to the Persistent Access Capability. (Recommendation 3)
Open
As of June 2025, DHS has not provided sufficient evidence to close this recommendation. We will continue to follow-up with the agency.
Department of Homeland Security The Secretary of Homeland Security should direct the Director of the Cybersecurity and Infrastructure Security Agency to update the agency's strategy associated with its cloud asset management activities to include required resources, provide the strategy to agencies, and implement the strategy. (Recommendation 4)
Open
As of June 2025, DHS has not provided sufficient evidence to close this recommendation. We will continue to follow-up with the agency.

Taxpayer Identity Verification: IRS Should Strengthen Oversight of Its Identity-Proofing Program
GAO-25-107273
Jun 11, 2025
Show
4 Open Recommendations
Agency Affected Recommendation Status
Internal Revenue Service The Commissioner of Internal Revenue should define and document measurable goals and objectives for its digital identity-proofing program. (Recommendation 1)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Internal Revenue Service The Commissioner of Internal Revenue should regularly evaluate and document results of its digital identity-proofing program in terms of meeting the goals and objectives established in recommendation 1. (Recommendation 2)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Internal Revenue Service The Commissioner of Internal Revenue should establish procedures for routinely sharing and communicating identity-proofing vendors' performance data to relevant officials. (Recommendation 3)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Internal Revenue Service The Commissioner of Internal Revenue should ensure that procured digital identity-proofing solutions that involve the use of AI are included in IRS's AI inventory, consistent with applicable legal requirements, and go through IRS's AI oversight process. (Recommendation 4)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Spectrum IT Modernization: NTIA Should Fully Incorporate Cybersecurity and Interoperability Practices
GAO-25-107509
May 22, 2025
Show
5 Open Recommendations
4 Priority
Agency Affected Recommendation Status
National Telecommunications and Information Administration
Priority Rec.
The NTIA Administrator should direct the IT Division in the Office of Policy Coordination and Management to work with the Office of Spectrum Management to develop an organizational risk management strategy that includes a determination of organizational risk tolerance, acceptable risk assessment methodologies, and details on strategies for responding to risks (such as risk acceptance, mitigation, or avoidance). (Recommendation 1)
Open
NTIA agreed with this recommendation and stated in May 2025 that it will prepare a formal action plan to address it.
National Telecommunications and Information Administration
Priority Rec.
The NTIA Administrator should direct the IT Division in the Office of Policy Coordination and Management to work with the Office of Spectrum Management to develop an organizational risk assessment that leverages aggregated information from system-level risk assessment results and risk considerations relevant at the organization level. (Recommendation 2)
Open
NTIA agreed with this recommendation and stated in May 2025 that it will prepare a formal action plan to address it.
National Telecommunications and Information Administration The NTIA Administrator should direct the IT Division in the Office of Policy Coordination and Management to work with the Department of Commerce and the NTIA Office of Spectrum Management to ensure and document that system security plans for NTIA's spectrum IT systems are reviewed, at a minimum, annually, and include logs detailing the date of review and resulting changes. (Recommendation 3)
Open
NTIA agreed with this recommendation and stated in May 2025 that it will prepare a formal action plan to address it.
National Telecommunications and Information Administration
Priority Rec.
The NTIA Administrator should direct the IT Division in the Office of Policy Coordination and Management to work with the Office of Spectrum Management to fully document identity, credential, and access management procedures for its cloud systems, including identification of authorized users and their roles, and associated access privileges, for each of its spectrum IT legacy systems. (Recommendation 4)
Open
NTIA agreed with this recommendation and stated in May 2025 that it will prepare a formal action plan to address it.
National Telecommunications and Information Administration
Priority Rec.
The NTIA Administrator should direct the IT Division in the Office of Policy Coordination and Management to work with the Office of Spectrum Management to specify a time frame for developing a data governance plan that resolves conflicts related to the application of NTIA's new data standard and defines roles and responsibilities for making decisions regarding the standard. (Recommendation 5)
Open
NTIA agreed with this recommendation and stated in May 2025 that it will prepare a formal action plan to address it.
View More Recommendations

Related Pages

GAO Contacts