Cybersecurity: Agencies Need to Fully Establish Risk Management Programs and Address Challenges

Citation
Government Accountability Office, Cybersecurity: Agencies Need to Fully Establish Risk Management Programs and Address Challenges (GAO-19-384) (July 25, 2019) (full-text).

Overview
Federal agencies face a growing number of cyber threats to their systems and data. To protect against these threats, federal law and policies emphasize that agencies take a risk-based approach to cybersecurityby effectively identifying, prioritizing, and m anaging their cyber risks. In addition, OMB and DHS play important roles in overseeing and supporting agencies’ cybersecurity risk management efforts.

GAO was asked to review federal agencies’cybersecurity risk management programs. GAO examined (1) the extent to which agencies established key elements ofa cybersecurity risk management program; (2) what challenges, if any, agencies identified in developing and implementing cybersecurity risk management programs; and (3) steps OMB and DHS have taken to meet their risk management responsibilities and address any challenges agencies face.

GAO has made 57 recommendations to the 23 agencies and one to OMB, in coordination with DHS, to assist agencies in addressing challenges.