The Government Accountability Office (GAO) says most of its recommendations to improve federal cybersecurity have not been implemented.
The GAO has made approximately 335 recommendations in public reports since 2010 regarding comprehensive cybersecurity strategy establishment and oversight. As of December 2022, GAO found that approximately 60% of these recommendations had not been implemented. For example, in December 2020, GAO’s review of 23 civilian agencies found that none had fully implemented the seven core supply chain risk management practices and 14 had not implemented implement any of the practices.
Until the recommendations are fully implemented, the government watchdog says federal agencies will be more limited in their ability to protect the private and sensitive data entrusted to them.
To fill the remaining gaps, the GAO wants the US government to establish a comprehensive cybersecurity strategy; mitigate global supply chain risks; addressing the shortage of federal cybersecurity workers; and ensuring the security of emerging technologies.
As a major step forward, in June 2021, the Senate confirmed that the first National Cybersecurity Director would lead the Office of the National Cybersecurity Director (ONCD) and serve as the President’s senior advisor on security policy and strategy. cybersecurity. The GAO recommended that the National Security Council work with relevant federal entities to update cybersecurity strategy documents to include, among other things, goals, performance measures, and resource information. As of August 2022, according to the ONCD, the development of a national cybersecurity strategy by the administration is underway.
GAO has already made several recommendations to address persistent cybersecurity workforce challenges, including developing a government-wide workforce plan and supporting practices related. Government-wide leadership responsibility for cyber workforce issues shifted in 2022 from the Office of Management and Budget and Department of Homeland Security to ONCD. The office says the national strategy currently being developed will address these key issues.
A White House statement last year noted that the United States is facing a significant shortage of cyber talent, with estimates of around 700,000 open positions. To help fill this gap, ONCD issued a Request for Information (RFI) in October 2022 to allow a wide range of diverse stakeholders to provide information that will inform the development of the new national strategy “to make advancing advancements in e-learning, education or workforce development”.
On January 19, ONCD officials OK that they would continue to engage the broader cybersecurity research community in the development and implementation of cybersecurity policy. Private sector participants noted their openness to working with government entities to address the pernicious cybersecurity challenges facing the nation today.
The GAO will release three more reports outlining key areas of cybersecurity that the federal government should urgently address.
Read the full report on GAO