Office of Congressional Workplace Rights: Weaknesses in Cybersecurity Management and Oversight Need to Be...
The Office of Congressional Workplace Rights enforces fair employment and occupational safety and health rules in the legislative branch. Congress passed a 2018 law that, among other things, required the office to create a secure online system for discrimination and harassment claims. In a new report, GAO found weaknesses in the office’s project planning, system […]
Information Security: VA and Other Federal Agencies Need to Address Significant Challenges, November 14,...
Federal agencies, including the Department of Veterans Affairs, continue to have deficient information security programs. For example, in fiscal year 2018, inspectors general used a five-level maturity model to rate agency information security policies, procedures, and practices related to the five core security functions – identify, protect, detect, respond, and recover – established by the […]
The GAO conducted a government-wide review of IT workforce planning. It found that federal agencies varied widely in their efforts to implement key information technology workforce planning activities that are critical to ensuring that agencies have the staff they need to support their missions. Specifically, at least 23 of the 24 agencies GAO reviewed partially […]
EPA Still Unable to Validate that Contractors Received Role-Based Training for Information Security Protection
The Environmental Protection Agency’s Office of Inspector General reports that the agency has limited assurance that contractor personnel are maintaining skills needed to combat efforts to destroy, steal, or hold for ransom the EPA’s systems and sensitive information. Due to unfamiliarity with requirements and ambiguity about who was responsible, only 7 of 21 EPA offices […]
The Cybersecurity Committee of the National Association of Secretaries of State has issued a new resource guide to help offices of Secretaries of State navigate available cybersecurity resources to include understanding the circumstances for which they may be useful, the differences between them, how to access them, and other relevant information. The guide covers resources […]
Responding to an allegation that software and hardware used by the Energy Department’s Office of the CIO had no manufacturer support or updates/patches, the department’s Office of Inspector General initiated an audit to determine whether the agency was managing its cybersecurity in accordance with requirements, and found that it had not. In three information systems […]
In an audit to determine the capabilities and practices of the Commerce Department to carry out cybersecurity information sharing, consistent with the Cybersecurity Information Sharing Act of 2015, the agency’s Office of Inspector General found that: The department lacked an internal automated sharing capability, resulting in a tedious manual process to ingest or share cyber […]
The GAO’s Office of Inspector General did an assessment of the agency’s compliance with Federal Information Security Modernization Act requirements, which it uses as a model despite not being subject to the law. The OIG found that GAO has defined an information security program that is generally aligned with FISMA, however it identified several opportunities […]
The DHS Office of Inspector General reports that the agency has not fully met requirements in the Cybersecurity Workforce Assessment Act to assess its...
Critical Infrastructure Protection: Actions Needed to Address Significant Cybersecurity Risks Facing the Electric Grid,...
GAO was asked to review the cybersecurity of the grid. Among other things, this report (1) describes the cybersecurity risks facing the grid, (2) assesses the extent to which DOE has defined a strategy for addressing grid cybersecurity risks, and (3) assesses the extent to which FERC-approved standards address grid cybersecurity risks. GAO found that […]