Information Security

Recent Reports

NASA Cybersecurity: Plan Needed to Update Spacecraft Acquisition Policies and Standards

GAO-24-106624

Published: May 01, 2024

Publicly Released: May 01, 2024

Cybersecurity: Implementation of Executive Order Requirements is Essential to Address Key Actions

GAO-24-106343

Published: Apr 18, 2024

Publicly Released: Apr 18, 2024

Cybersecurity: Improvements Needed in Addressing Risks to Operational Technology

GAO-24-106576

Published: Mar 07, 2024

Publicly Released: Mar 07, 2024

Artificial Intelligence: Fully Implementing Key Practices Could Help DHS Ensure Responsible Use for Cybersecurity

GAO-24-106246

Published: Feb 07, 2024

Publicly Released: Feb 07, 2024

Cybersecurity: National Cyber Director Needs to Take Additional Actions to Implement an Effective Strategy

GAO-24-106916

Published: Feb 01, 2024

Publicly Released: Feb 01, 2024

Critical Infrastructure Protection: Agencies Need to Enhance Oversight of Ransomware Practices and Assess Federal Support

GAO-24-106221

Published: Jan 30, 2024

Publicly Released: Jan 30, 2024

View More Reports

Open Recommendations

NASA Cybersecurity: Plan Needed to Update Spacecraft Acquisition Policies and Standards

GAO-24-106624

May 01, 2024

Show

1 Open Recommendations

Agency Affected	Recommendation	Status Sort ascending
National Aeronautics and Space Administration	The NASA Administrator should ensure that the Chief Engineer, the Chief Information Officer, and the Principal Advisor for Enterprise Protection develop an implementation plan with time frames to update its spacecraft acquisition policies and standards to incorporate essential controls required to protect against cyber threats. (Recommendation 1)	Open When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Cybersecurity: Implementation of Executive Order Requirements is Essential to Address Key Actions

GAO-24-106343

Apr 18, 2024

Show

5 Open Recommendations

Agency Affected	Recommendation	Status Sort ascending
Department of Homeland Security	The Secretary of Homeland Security should direct the Director of CISA to issue, in a timely manner, its list of software and software product categories that are considered critical software. (Recommendation 1)	Open When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Homeland Security	The Secretary of Homeland Security, through the Director of the CISA, should direct the Cyber Safety Review Board to document steps taken or planned to implement the recommendations provided to the President for improving the board's operations. (Recommendation 2)	Open When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Office of Management and Budget	The Director of OMB should demonstrate that the office has conducted, with pertinent federal agencies, cost analyses for the implementation of recommendations related to the sharing of threat information, as defined in the order. (Recommendation 3)	Open When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Office of Management and Budget	The Director of OMB should demonstrate that the office has coordinated with pertinent federal agencies regarding resourcing needs for the implementation of an endpoint detection and response capability, as defined in the order. (Recommendation 4)	Open When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Office of Management and Budget	The Director of OMB should demonstrate that the office has coordinated with pertinent federal agencies regarding resourcing needs for logging, log retention, and log management capabilities, as defined in the order. (Recommendation 5)	Open When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Cybersecurity: Improvements Needed in Addressing Risks to Operational Technology

GAO-24-106576

Mar 07, 2024

Show

4 Open Recommendations

Agency Affected	Recommendation	Status Sort ascending
Cybersecurity and Infrastructure Security Agency	The Director of CISA should (1) measure customer service for all of its OT products and services and (2) use the results of such measures to make improvements to the products and services. (Recommendation 1)	Open When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Cybersecurity and Infrastructure Security Agency	The Director of CISA should (1) develop OT competency and staffing requirements, (2) assess OT competency and staffing gaps, and (3) develop strategies for filling any gaps. (Recommendation 2)	Open When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Cybersecurity and Infrastructure Security Agency	The Director of CISA should issue guidance on how SRMAs should update sector-specific plans that reflects the five selected leading collaboration practices when agencies are mitigating cyber OT risks. (Recommendation 3)	Open When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Cybersecurity and Infrastructure Security Agency	The Director of CISA should (1) develop an agency-wide policy on agreements with SRMAs regarding collaboration to mitigate OT risks and (2) implement that policy with the selected agencies. (Recommendation 4)	Open When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Artificial Intelligence: Fully Implementing Key Practices Could Help DHS Ensure Responsible Use for Cybersecurity

GAO-24-106246

Feb 07, 2024

Show

8 Open Recommendations

Agency Affected	Recommendation	Status Sort ascending
Department of Homeland Security	The Chief Technology Officer should expand its review process to include steps to verify the accuracy of its AI inventory submissions. (Recommendation 1)	Open When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Homeland Security	The Director of CISA should develop metrics to consistently measure progress toward all stated goals and objectives for Automated PII Detection. (Recommendation 2)	Open When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Homeland Security	The Director of CISA should clearly define the roles and responsibilities and delegation of authority of all relevant stakeholders involved in managing and overseeing the implementation of the Automated PII Detection component to ensure effective operations and sustained oversight. (Recommendation 3)	Open When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Homeland Security	The Director of CISA should document the sources and origins of data used to develop the Automated PII Detection component. (Recommendation 4)	Open When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Homeland Security	The Director of CISA should take steps to assess and document the reliability of data used to enhance the representativeness, quality, and accuracy of the Automated PII Detection component. (Recommendation 5)	Open When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Homeland Security	The Director of CISA should document its process for optimizing the elements used within the Automated PII Detection component. (Recommendation 6)	Open When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.