8 min read

GAO: US Federal Agencies Need to Fully Establish Risk Management Programs

George V. Hulme

August 21, 2019

GAO: US Federal Agencies Need to Fully Establish Risk Management Programs

There have been plenty — too many — breaches involving federal agencies over the years. Way back in 2006, a breach at the U.S. Department of Veterans Affairs affected 26.5 million people. In 2009, it was the National Archives and Records Administration that was hit and that breach affected 76 million. In one of the worst and most damaging breaches of all time, the U.S. Office of Personnel Management (OPM) affected 21.5 million federal employees and contractors, and breached the information included in security clearances, such as background investigation data and associated person data. Most recently, the U.S. Customs Agency fell victim to an attack and photos and other personal information collected by U.S. Customers and Border Patrol was leaked.

The digital risks faced by federal agencies have never been higher. The risks range from shoddy software quality to increasingly sophisticated malware, and persistent nation-state-backed attackers. Defending federal agencies, well any organization for that matter, seems a Sisyphean adventure.

To gauge the security of federal agencies, the Government Accountability Office (GAO) was charged with reviewing the cybersecurity risk of the 23 federal agencies, with a focus on the extent agencies have established key elements of a quantified cybersecurity risk management program; what challenges, if any, agencies identified in developing and implementing their programs; and steps the Office of Management and budget and the department of homeland security have taken to meet their risk management responsibilities and address any challenges agencies said they face.

To meet its objectives, the GAO said it reviewed the policies and procedures from 23 civilian Chief Financial Officers Act of 1990 agencies and compared them to essential federal cybersecurity risk management practices, obtained agencies’ views on challenges they faced, identified and analyzed actions taken by OMB and DHS to determine whether they address agency challenges, and interviewed responsible agency officials.

The GAO is not new to reporting on the security posture of federal agencies. Previously the GAO has found federal agencies to be woefully lax when it comes to information security. And the GAO has reported that agencies have struggled to implement programs to effectively manage the risks to their information and information systems.

According to the GAO and its current report findings agencies must make decisions about how to most effectively secure their systems and data, based on an assessment of the risks they face. For this, the GAO points to FISMA’s Federal Information Security Modernization Act of 2014, various executive orders, and guidance from the OMB that emphasize information security risk-based processes. The GAO also points to NIST’s cybersecurity risk management framework (.pdf).

For a number of years now, federal agency leadership have been held to task for their cybersecurity readiness by the executive branch (Executive Order 13800). Leadership is required to put into place a risk management program to match the risk and impact of a data breach from the “unauthorized access, use, disclosure, disruption, modification, or destruction of IT and data.” To this end, the processes and procedures to measure and improve their cybersecurity efforts are detailed in 13800.

According to the GAO, key practices to establish agency-wide cybersecurity risk management include a cybersecurity risk executive designation, develop a risk management strategy and policies that facilitate risk-based decisions, assess the cyber risks to the agency, and establishing coordination with the agency’s enterprise risk management program.

The GAO found, in the 23 agencies they reviewed, that nearly all agencies have a risk management executive in place to help drive their programs forward, however the agencies are currently falling short in other areas:

  • Twenty-two agencies established the role of cybersecurity risk executive, to provide agency-wide management and oversight of risk management.
  • Sixteen agencies have not fully established a cybersecurity risk management strategy to delineate the boundaries for risk-based decisions.
  • Seventeen agencies have not fully established agency- and system-level policies for assessing, responding to, and monitoring risk.
  • Eleven agencies have not fully established a process for assessing agency- wide cybersecurity risks based on an aggregation of system-level risks.
  • Thirteen agencies have not fully established a process for coordinating between their cybersecurity and ERM programs for managing all major risks.

Many of the challenges cited by the agencies are the change challenges that plague corporate enterprises: the difficulty finding the right cybersecurity talent, the challenge in coordinating security efforts with other members in one’s industry, as well as baselining and quantifying risk in their organization, as well as managing a organizational-wide risk management program. These are challenges large enterprises with large budgets face every day and have a challenging time meeting.

The breaches have real impact on peoples’ lives and their trust in government. The OPM breach has the potential for extraordinary damage to U.S. security as well as the security of the employees and contractors effected. As for the U.S. Customs and Border agency breach, Neema Singh Giuliani a senior legislative counsel at the American Civil Liberties Union said "This incident further underscores the need to put the brakes on these efforts and for Congress to investigate the agency's data practices. The best way to avoid breaches of sensitive personal data is not to collect and retain it in the first place."

As even more of our lives become digital, and more services are delivered online and through digital services, the security of federal agencies — all government agencies really — is only going to increase.



George V. Hulme

George V. Hulme is an internationally recognized information security and business technology writer. For more than 20 years Hulme has written about business, technology, and IT security topics. From March 2000 through March 2005, as senior editor at InformationWeek magazine, he covered the IT security and homeland security beats. His work has appeared in CSOOnline, ComputerWorld, Network Computing, Government Computer News, Network World, San Francisco Examiner, TechWeb, VARBusiness, and dozens of other technology publications.

View all posts

You might also like