Gregory Wilshusen

FCC Made Significant Progress, but Needs to Address Remaining Control Deficiencies and Improve Its Program

The Federal Communications Commission uses the Electronic Comment Filing System to receive public comments about proposed regulation changes. In May 2017, a surge of more than 22 million comments disrupted the system making it unavailable. We issued a Sept 2019 report with 136 recommendations for improvements in this and other FCC systems. The report was not publically released because it contains security information. This is the public version of that report—with the sensitive information removed.

DHS Needs to Continue to Advance Initiatives to Protect Federal Systems

Cyber-based intrusions and attacks on federal systems are evolving and becoming more sophisticated. The Government Accountability Office first designated information security as a government-wide high-risk area in 1997. This was expanded to include the protection of cyber critical infrastructure in 2003 and protecting the privacy of personally identifiable information in 2015. The Department of Homeland Security plays a key role in strengthening the cybersecurity posture of the federal government. Among other things, DHS has initiatives for (1) detecting and preventing malicious cyber intrusions into agencies' networks and (2) deploying technology to assist agencies to continuously diagnose and mitigate cyber threats and vulnerabilities.

This statement provides an overview of GAO's work related to DHS's efforts to improve the cybersecurity posture of the federal government. In preparing this statement, GAO relied on previously published work, as well as information provided by DHS on its actions in response to GAO's previous recommendations. In a January 2016 report, GAO made nine recommendations related to expanding NCPS's capability to detect cyber intrusions; notifying customers of potential incidents; providing analytic services; and sharing cyber-related information, among other things. DHS concurred with the recommendations and is taking actions to implement them.

GAO Report: Cybersecurity: Actions Needed to Strengthen US Capabilities

This statement (1) provides an overview of Government Accountability Office's work related to cybersecurity of the federal government and the nation's critical infrastructure and (2) identifies areas of consistency between GAO recommendations and those recently made by the Cybersecurity Commission and CSIS. In preparing this statement, GAO relied on previously published work and its review of the two recent reports issued by the Commission and CSIS. Over the past several years, GAO has made about 2,500 recommendations to federal agencies to enhance their information security programs and controls. As of February 2017, about 1,000 recommendations had not been implemented.

While previous administrations and agencies have acted to improve the protections over federal and critical infrastructure information and information systems, the federal government needs to take the following actions to strengthen U.S. cybersecurity:

  • Effectively implement risk-based entity-wide information security programs consistently over time.
  • Improve its cyber incident detection, response, and mitigation capabilities. The Department of Homeland Security needs to expand the capabilities and support wider adoption of its government-wide intrusion detection and prevention system. In addition, the federal government needs to improve cyber incident response practices, update guidance on reporting data breaches, and develop consistent responses to breaches of PII.
  • Expand its cyber workforce planning and training efforts.
  • Expand efforts to strengthen cybersecurity of the nation's critical infrastructures.
  • Better oversee protection of personally identifiable information.