GAO was asked to evaluate federal agencies’ cybersecurity requirements and related assessment programs for state agencies. The objectives were to determine the extent to which (1) selected federal agencies’ cybersecurity requirements for state agencies varied with each other and federal guidance, and (2) federal agencies had policies for coordinating their assessments of state agencies’ cybersecurity.
Although the Centers for Medicare and Medicaid Services, FBI, IRS, and Social Security Administration each established requirements to secure data that states receive, GAO found these requirements often had conflicting parameters. The agencies each either fully or partially had policies for coordinating assessments with states, but none of them had policies for coordinating assessments with each other.
