Citation Edit

Government Accountability Office, Cybersecurity: Actions Needed to Address Challenges Facing Federal Systems (GAO-15-573T) (Apr. 22, 2015) (full-text).

Overview Edit

Federal and contractor systems face an evolving array of cyber-based threats. These threats can be unintentional — for example, from equipment failure, careless or poorly trained employees; or intentionaltargeted or untargeted attacks from criminals, hackers, adversarial nations, or terrorists, among others. Threat actors use a variety of attack techniques that can adversely affect federal information, computers, software, networks, or operations, potentially resulting in the disclosure, alteration, or loss of sensitive information; destruction or disruption of critical systems; or damage to economic and national security. These concerns are further highlighted by the sharp increase in cyber incidents reported by federal agencies over the last several years, as well as the reported impact of such incidents on government and contractor systems.

Because of the risk posed by these threats, it is crucial that the federal government take appropriate steps to secure its information and information systems. However, GAO has identified a number of challenges facing the government's approach to cybersecurity, including the following:

  • Implementing risk-based cybersecurity programs at federal agencies: For fiscal year 2014, 19 of 24 major federal agencies reported that deficiencies in information security controls constituted either a material weakness or significant deficiency in internal controls over their financial reporting. In addition, inspectors general at 23 of these agencies cited information security as a major management challenge for their agency.
  • Implementing security programs at small agencies: Smaller federal agencies (generally those with 6,000 or fewer employees) have not always fully implemented comprehensive agency-wide information security programs.

Until agencies take actions to address these challenges—including the hundreds of recommendations made by the GAO and inspectors general — their systems and information will be at increased risk of compromise from cyber-based attacks and other threats.

Community content is available under CC-BY-SA unless otherwise noted.