Federal agencies are failing to adequately address cybersecurity risks, jeopardizing not only the operations of the federal government and its agencies but also the personal information of U.S. citizens, according to a new audit by the Government Accountability Office.
The report, called Urgent Actions Needed to Address Cybersecurity Challenges Facing the Nation, notes that of the more than 3,000 recommendations the agency issued since 2010, 1,000 have not been implemented as of August. In addition, 31 of 35 priority recommendations also haven't been addressed.
Many relate to the systems and structures the agencies need to implement in order to stave off security breaches and, if they occur, to respond as quickly as possible. The audit was conducted from February to September.
Citing the "inconsistent" security over IT systems and data, the report states, "The federal government needs to implement a more comprehensive cybersecurity strategy and improve its oversight, including maintaining a qualified cybersecurity workforce; address security weaknesses in federal systems and information and enhance cyber incident response efforts; bolster the protection of cyber critical infrastructure; and prioritize efforts to protect individual's privacy and PII." (PII refers to personally identifiable information.)
The audit cites multiple agencies for various failures relating to cybersecurity protections, including the Department of Homeland Security as well as the Securities and Exchange Commission, Internal Revenue Service, Federal Deposit Insurance Corp., the Center for Medicare and Medicaid Services (CMS) and the Department of Education's Office of Federal Student Aid. In many cases, the GAO had issued recommendations previously, but even if the agency agreed with the recommendations — and sometimes they didn't — they still failed to implement them.