Information Security:
Advisory Organizations

U.S. General Accountability Office (GAO) [www.gao.gov] — is an independent, nonpartisan agency that works for Congress. Often called the "congressional watchdog," its objectives are to:
- investigate how the federal government spends taxpayer dollars
- support Congress in meeting its constitutional responsibilities
- help improve the performance and ensure the accountability of the federal government for the benefit of the American people
- provide Congress with timely, objective, fact-based, nonpartisan, nonideological, fair, and balanced information
The head of GAO, the Comptroller General of the United States, is appointed to a 15-year term by the President from candidates Congress proposes. Among its numerous publications are many related to information security and cybersecurity, including the following five:
1. IRS Needs to Rectify Control Deficiencies That Limit Its Effectiveness in Protecting Sensitive Financial and Taxpayer Data [https://www.gao.gov/products/GAO-18-391] — IRS must keep its computer systems secure to protect sensitive financial and taxpayer information. We found IRS made progress in resolving a number of previously reported deficiencies, such as enforcing the use of encryption. However, we found continuing and new deficiencies, such as unenforced rules for password security. We recommended that IRS take 5 additional actions to bolster security. In a separate report with limited distribution, we recommended 32 other actions to address newly identified deficiencies. 31 Jul 2018
2. Urgent Actions Are Needed to Address Cybersecurity Challenges Facing the Nation [www.gao.gov/products/gao-18-645T.pdf] — GAO identified four major cybersecurity challenges and 10 critical actions that the federal government and other entities need to take to address them. GAO continues to designate information security as a government-wide high-risk area due to increasing cyber-based threats and the persistent nature of security vulnerabilities. 25 Jul 2018
3. Defense Security Service Should Address Challenges as New Approach Is Piloted [www.gao.gov/products/GAO-18-407] — DoD's Defense Security Service (DSS)determines government contractors' eligibility to access classified information and monitors over 12,000 contractor facilities. It is facing new challenges as adversaries try to steal national security information and technology at unprecedented rates. DSS is piloting a new approach that requires collaboration with stakeholders such as other federal agencies and contractors. However, the GAO found that DSS has not established how it will do this. 14 May 2018
4. DHS Needs to Enhance Efforts to Improve and Promote the Security of Federal and Private-Sector Networks [www.gao.gov/products/GAO-18-520T] — In recent years, the DHS has acted to improve and promote the cybersecurity of federal and private-sector computer systems and networks, but further improvements are needed. Specifically, consistent with its statutory authorities, DHS has made important progress in implementing programs and activities that are intended to mitigate cybersecurity risks on the computer systems and networks supporting federal operations and our nation's critical infrastructure. Nevertheless, the department has not taken sufficient actions to ensure that it successfully mitigates cybersecurity risks. 24 Apr 2018
5. CMS Oversight of Medicare Beneficiary Data Security Needs Improvement [www.gao.gov/products/GAO-18-210] — The Centers for Medicare and Medicaid Services (CMS) shares Medicare beneficiary data with three major types of external entities: (1) Medicare Administrative Contractors (MAC) that perform processing and distribution functions that support the payment of Medicare benefits; (2) research organizations (researchers) that use Medicare beneficiary data to study how health care services are provided to beneficiaries; and (3) qualified public or private entities that use claims data to evaluate the performance of Medicare service providers and equipment suppliers.
  
  CMS has developed requirements for implementing security controls that align with federal guidance for for MACs and qualified entities, but it has not developed equivalent guidance for researchers. Researchers must adhere to broad governmentwide standards, but are not given guidance on which specific controls to implement. The lack of specific guidance increases the risk that external entities possessing agency data may not have applied security controls that meet CMS standards. Additionally, CMS has established an oversight program for the security of MAC data, but has not established a corresponding program to oversee security implementation by researchers and qualified entities. 6 Mar 2018
InfraGard [www.infragard.net] — is an information sharing and analysis effort serving the interests and combining the knowledge base of its 82 chapters with more than 46,000 members nationwide helping to protect and defend critical infrastructures. InfraGard is a cooperative undertaking between the U.S. government (led by the FBI and the NIPC) and an association of businesses, academic institutions, state and local law enforcement agencies, and other participants dedicated to increasing the security of U.S. critical infrastructures. The goal of InfraGard is to enable the flow of information so that the owners and operators of infrastructure assets (which are 80 to 90% privately owned) can better protect themselves and so that the U.S. government can better discharge its law enforcement and national security responsibilities.

Last updated 22 Aug 2018

Information Security:Advisory Organizations

Information Security:
Advisory Organizations