According to a recent US report, nearly 60% of the cyber security recommendations made by the US Government Accountability Office (GAO) since 2010 have yet to be implemented by federal agencies. The Office unveiled the figures in a release on 16 January 2023, adding that out of 335 public recommendations, 190 still needed to be implemented. "Until these are fully implemented, federal agencies will be more limited in their ability to protect private and sensitive data entrusted to them," GAO reported.
See: https://redskyalliance.org/xindustry/us-federal-agencies-get-poor-grades-on-cyber-security
According to the Office, the September 2018 National Cyber Strategy and the National Security Council's accompanying June 2019 Implementation Plan released by the White House addressed some of the characteristics of national strategies but not all. Specifically, GAO explained that purpose, scope, and methodologies processes were implemented alongside organizational roles, responsibilities, and coordination operations. Integration and implementation efforts have also been acknowledged.[1]
The strategy must still address goals, subordinate objectives, activities, and performance measures. Resources, investments, and risk management operations still need to be implemented. "Federal agencies face numerous information and communications technology (ICT) supply chain risks, which could lead to disrupted mission operations, theft of intellectual property, and harm to individuals," GAO disclosed. "In December 2020, our review of 23 civilian agencies found that none had fully implemented all of the seven foundational practices for supply chain risk management, and 14 had not implemented any of the practices." The Office also made several recommendations to address continuing cybersecurity workforce challenges, which include developing a government-wide workforce plan with supporting practices.
"Government-wide leadership responsibility for cyber workforce issues transitioned in 2022 from [the Office of Management and Budget] and [the Department of Homeland Security] to the Office of the National Cyber Director. The Office has committed to developing a national strategy that addresses key issues."
The GAO report also looked at Internet of Things (IoT) initiatives by the US Departments of Energy, Health and Human Services, Homeland Security, and Transportation. It concluded that none developed metrics to assess their efforts to mitigate sector risks or conducted IoT and OT cybersecurity risk assessments.
Finally, GAO looked at quantum technologies and called for governmental agencies to step up efforts in developing cybersecurity mitigation strategies looking at these new tools. In this regard, the US President signed the Quantum Computing Cybersecurity Preparedness Act into law in December 2022.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225, or feedback@wapacklabs.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www. redskyalliance. org/
- Website: https://www. wapacklabs. com/
- LinkedIn: https://www. linkedin. com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5504229295967742989
[1] https://www.infosecurity-magazine.com/news/federal-agencies-ignore-gaos/
Comments