GAO Report: Cybersecurity: Actions Needed to Strengthen US Capabilities

This statement (1) provides an overview of Government Accountability Office's work related to cybersecurity of the federal government and the nation's critical infrastructure and (2) identifies areas of consistency between GAO recommendations and those recently made by the Cybersecurity Commission and CSIS. In preparing this statement, GAO relied on previously published work and its review of the two recent reports issued by the Commission and CSIS. Over the past several years, GAO has made about 2,500 recommendations to federal agencies to enhance their information security programs and controls. As of February 2017, about 1,000 recommendations had not been implemented.

While previous administrations and agencies have acted to improve the protections over federal and critical infrastructure information and information systems, the federal government needs to take the following actions to strengthen U.S. cybersecurity:

• Effectively implement risk-based entity-wide information security programs consistently over time.
• Improve its cyber incident detection, response, and mitigation capabilities. The Department of Homeland Security needs to expand the capabilities and support wider adoption of its government-wide intrusion detection and prevention system. In addition, the federal government needs to improve cyber incident response practices, update guidance on reporting data breaches, and develop consistent responses to breaches of PII.
• Expand its cyber workforce planning and training efforts.
• Expand efforts to strengthen cybersecurity of the nation's critical infrastructures.
• Better oversee protection of personally identifiable information.