Resource Library

In an audit to determine the capabilities and practices of the Commerce Department to carry out cybersecurity information sharing, consistent with the Cybersecurity Information Sharing Act of 2015, the agency’s Office of Inspector General found that: The department lacked an internal automated sharing capability, resulting in a tedious manual process to ingest or share cyber […]

The GAO’s Office of Inspector General did an assessment of the agency’s compliance with Federal Information Security Modernization Act requirements, which it uses as a model despite not being subject to the law. The OIG found that GAO has defined an information security program that is generally aligned with FISMA, however it identified several opportunities […]

The DHS Office of Inspector General reports that the agency has not fully met requirements in the Cybersecurity Workforce Assessment Act to assess its...

GAO was asked to review the cybersecurity of the grid. Among other things, this report (1) describes the cybersecurity risks facing the grid, (2) assesses the extent to which DOE has defined a strategy for addressing grid cybersecurity risks, and (3) assesses the extent to which FERC-approved standards address grid cybersecurity risks. GAO found that […]

In January 2019, the Department of Energy Office of Inspector General initiated a review to determine whether the selected DOE location had effectively managed its cybersecurity program. OIG identified issues of such serious concern that it issued a management alert notifying cognizant officials of the need for immediate action to address these risks. The preliminary […]

The Veterans’ Affairs Office of Inspector General conducted an inspection in response to episodes of non-adherence to policies on patient information privacy and security at the Tibor Rubin VA Medical Center in Long Beach, California. After a VA computer update, a facility diagnostic device no longer interfaced with VHA patients’ electronic health records. To continue […]

Key practices for establishing an agency-wide cybersecurity risk management program include designating a cybersecurity risk executive, developing a risk management strategy and policies to facilitate risk-based decisions, assessing cyber risks to the agency, and establishing coordination with the agency’s enterprise risk management program. Although the 23 agencies GAO reviewed almost always designated a risk executive, […]

The GAO reports that during fiscal year 2018, many federal agencies were often not adequately or effectively implementing their information security policies and practices. For example, most of the 16 agencies GAO selected for review had deficiencies related to implementing the eight elements of an agency-wide information security program required by the Federal Information Security […]

The GAO found that the OMB and federal agencies have taken steps to improve the management of IT acquisitions and operations and ensure federal cybersecurity through a series of initiatives. As of June 2019, federal agencies had fully implemented 60 percent of the 1,277 IT management-related recommendations that GAO has made to them since fiscal […]

The Commerce Department’s office of inspector general reports that the Patent and Trademark Office’s has inadequately managed its Active Directory security database, and it has poorly protected its critical IT assets hosting the directory. It concluded that these deficiencies put the USPTO’s ability to accomplish its mission at significant risk. The directory management problems included […]