The Government Accountability Office (GAO) has issued a series of recommendations to federal agencies as a means of assisting with methods of addressing accompanying challenges.
The GAO outlined 57 recommendations to the 23 agencies and one to the Office of Management and Budget (OMB) in coordination with the Department of Homeland Security (DHS), noting to protect against cyber threats, federal agencies should incorporate key practices in their cybersecurity risk management programs.
The key practices include designating a cybersecurity risk executive; developing a risk management strategy and policies; assessing cyber risks; and coordinating between cybersecurity and enterprise-wide risk management functions.
The GAO determined all but one of the 23 agencies reviewed designated a risk executive while none of the agencies fully incorporated the other key practices into their programs.
Until agencies address the practices, the GAO maintains, the entities will face an increased risk of cyber-based incidents threatening national security and personal privacy.
The GAO said the work involved reviewing policies and procedures from 23 civilian Chief Financial Officers Act of 1990 agencies, comparing them to key federal cybersecurity risk management practices, obtaining agencies’ views on challenges they faced, identifying and analyzing actions taken by OMB and DHS to determine whether they address agency challenges and interviewing responsible agency officials.
Seventeen agencies agreed with the recommendations. One agency partially agreed, and four, including OMB, did not state whether they agreed or disagreed.