The U.S. Government Accountability Office (GAO) recently released a report stating that the federal government needs to strengthen its capabilities regarding cybersecurity and protecting the privacy of personally-identifiable information.
GAO conducted the study to provide an overview of the government’s work related to cybersecurity and the nation’s critical infrastructure. The report also sought to identify areas of consistency between previous GAO cybersecurity recommendations and those made recently by the Cybersecurity Commission and the Center for Strategic and International Studies (CSIS).
In previous years, GAO has made more than 2,500 cybersecurity-related recommendations to federal agencies. As of Feb. 2017, approximately 1,000 of those recommendations have actually been implemented.
The GAO report found that the federal government must effectively implement risk-based and entity-wide information security programs consistently over time. Specifically, GAO recommends that agencies implement sustainable processes for security configuring operating systems and servers, patch vulnerable systems and replace unsupported software, and develop comprehensive security test and evaluation procedures on regular basis.
GAO also found that agencies must improve its cyber incident detection, response, and mitigation capabilities by adopting a government-wide intrusion detection and prevention system.
Further recommendations include expanding its cyber workforce planning and training efforts, expanding efforts to strengthen cybersecurity of critical infrastructure, and provide better oversight of electronic health information by ensuring privacy when familial recognition systems are used.
GAO first designated information security as a government-wide high risk area in 1997. The designation was expanded in 2003 to include cyber critical infrastructure and again in 2015 for the protection of personally-identifiable information.