SECURE ALL FEDERAL INFORMATION SYSTEMS, CYBER
CRITICAL INFRASTRUCTURE, AND PROTECT THE PRIVACY
OF PERSONALLY IDENTIFIABLE INFORMATION (PII)
In 2015, the Director of Information Security Issues for the U.S. Government Accountability Office (GAO) testified in front of a House of Representatives subcommittee. The Director said, in part: "The danger posed by the wide array of cyber threats facing the nation is heightened by weaknesses in the federal government’s approach to protecting its systems and information. While recent government-wide initiatives hold promise for bolstering the federal cybersecurity posture, it is important to note that no single technology or set of practices is sufficient to protect against all these threats. A 'defense in depth' strategy is required that includes well-trained personnel, effective and consistently applied processes, and appropriately implemented technologies. While agencies have elements of such a strategy in place, more needs to be done to fully implement it and to address existing weaknesses. In particular, implementing GAO and inspector general recommendations will strengthen agencies’ ability to protect their systems and information, reducing the risk of a potentially devastating cyberattack (read his entire statement here)."
Two years later, the same Director testified again: "Over the past several years, GAO has made about 2,500 recommendations to federal agencies to enhance their information security programs and controls. As of February 2017, about 1,000 recommendations had not been implemented (read his entire statement here)."
The GAO continually assesses the cybersecurity compliance of federal agencies. For example, in early 2018 alone they released reports on: critical infrastructure protection (read here); the Department of Homeland Security's (DHS) need to take urgent action to identify its position and critical skill requirements (read here); DHS's need to enhance efforts to improve and promote the security of federal and private-sector networks (read here); and the need for agencies to improve baseline assessments and procedures for coding positions (read here). In 2019, the GAO reported that "the federal government needs a qualified, well-trained cybersecurity workforce to protect vital IT systems. Not having enough of these workers is one reason why securing federal systems is on our High Risk list (read here)."
We must make certain the federal government complies with the GAO's overall recommendations and take the following actions to strengthen U.S. cybersecurity:
Evidence:
United States. Government Accountability Office. "Cybersecurity: Recent Data Breaches Illustrate Need for Strong Controls Across Federal Agencies." 24
June 2015
United States. Government Accountability Office. "Cybersecurity: Actions Needed to Strengthen U.S. Capabilities." 14 Feb 2017
United States. Government Accountability Office. "Critical Infrastructure Protection: Additional Actions Are Essential for Assessing Cybersecurity
Framework Adoption." February 2018
United States. Government Accountability Office. "Cybersecurity Workforce: DHS Needs to Take Urgent Action to Identify Its Position and Critical Skill
Requirements." 7 Mar 2018
United States. Government Accountability Office. "Cybersecurity: DHS Needs to Enhance Efforts to Improve and Promote the Security of Federal and
Private-Sector Networks." 24 Apr 2018
United States. Government Accountability Office. "Cybersecurity Workforce: Agencies Need to Improve Baseline Assessments and Procedures for Coding
Positions." June 2018
United States. Government Accountability Office. "Cybersecurity Workforce: Agencies Need to Accurately Categorize Positions to Effectively Identify
Critical Staffing Needs." March 2019
Effectively implement risk-based entity-wide information security programs consistently over time. Among other things, agencies need to (1) implement sustainable processes for securely configuring operating systems, applications, workstations, servers, and network devices; (2) patch vulnerable systems and replace unsupported software; (3) develop comprehensive security test and evaluation procedures and conduct examinations on a regular and recurring basis; and (4) strengthen oversight of contractors providing IT services.
Improve its cyber incident detection, response, and mitigation capabilities. The Department of Homeland Security needs to expand the capabilities and support wider adoption of its government-wide intrusion detection and prevention system. In addition, the federal government needs to improve cyber incident response practices, update guidance on reporting data breaches, and develop consistent responses to breaches of PII (PII is Personally identifiable information, or any data that could potentially identify a specific individual).
Better oversee protection of personally identifiable information. The federal government needs to (1) protect the security and privacy of electronic health information, (2) ensure privacy when face recognition systems are used, and (3) protect the privacy of users' data on state-based health insurance marketplaces.
Expand efforts to strengthen cybersecurity of the nation's critical infrastructures. The federal government needs to develop metrics to (1) assess the effectiveness of efforts promoting the National Institute of Standards and Technology's (NIST) Framework for Improving Critical Infrastructure Cybersecurity and (2) measure and report on effectiveness of cyber risk mitigation activities and the cybersecurity posture of critical infrastructure sectors.
Expand its cyber workforce planning and training efforts. The federal government needs to (1) enhance efforts for recruiting and retaining a qualified cybersecurity workforce and (2) improve cybersecurity workforce planning activities.