- U.S. General Accountability Office (GAO)
is an independent, nonpartisan agency that works for Congress. Often called the "congressional watchdog,"
its objectives are to:
The head of GAO, the Comptroller General of the United States, is appointed to a 15-year term by the President from candidates Congress proposes. Among its numerous publications are many related to information security and cybersecurity,
including the following five:
- investigate how the federal government spends taxpayer dollars
- support Congress in meeting its constitutional responsibilities
- help improve the performance and ensure the accountability of the federal government
for the benefit of the American people
- provide Congress with timely, objective, fact-based, nonpartisan, nonideological, fair, and balanced information
- IRS Needs to Rectify Control Deficiencies That Limit Its Effectiveness in Protecting
Sensitive Financial and Taxpayer Data
IRS must keep its computer systems secure to protect sensitive financial and taxpayer information.
We found IRS made progress in resolving a number of previously reported deficiencies, such as enforcing
the use of encryption. However, we found continuing and new deficiencies, such as unenforced rules
for password security. We recommended that IRS take 5 additional actions to bolster security.
In a separate report with limited distribution, we recommended 32 other actions to address newly
identified deficiencies. 31 Jul 2018
- Urgent Actions Are Needed to Address Cybersecurity Challenges Facing the Nation
GAO identified four major cybersecurity challenges and 10 critical actions that the federal
government and other entities need to take to address them. GAO continues to designate
information security as a government-wide high-risk area due to increasing cyber-based threats
and the persistent nature of security vulnerabilities. 25 Jul 2018
- Defense Security Service Should Address Challenges as New Approach Is Piloted
DoD's Defense Security Service (DSS)determines government contractors' eligibility to access
classified information and monitors over 12,000 contractor facilities. It is facing
new challenges as adversaries try to steal national security information and technology at
unprecedented rates. DSS is piloting a new approach that requires collaboration with
stakeholders such as other federal agencies and contractors. However, the GAO found
that DSS has not established how it will do this. 14 May 2018
- DHS Needs to Enhance Efforts to Improve and Promote the Security of Federal and
In recent years, the DHS has acted to improve and promote the cybersecurity of federal and
private-sector computer systems and networks, but further improvements are needed.
Specifically, consistent with its statutory authorities, DHS has made important progress
in implementing programs and activities that are intended to mitigate cybersecurity risks
on the computer systems and networks supporting federal operations and our nation's critical
infrastructure. Nevertheless, the department has not taken sufficient actions to ensure
that it successfully mitigates cybersecurity risks. 24 Apr 2018
- CMS Oversight of Medicare Beneficiary Data Security Needs Improvement
The Centers for Medicare and Medicaid Services (CMS) shares Medicare beneficiary data with
three major types of external entities: (1) Medicare Administrative Contractors (MAC)
that perform processing and distribution functions that support the payment of Medicare benefits;
(2) research organizations (researchers) that use Medicare beneficiary data to study how health
care services are provided to beneficiaries; and (3) qualified public or private entities that
use claims data to evaluate the performance of Medicare service providers and equipment suppliers.
CMS has developed requirements for implementing security controls that align with federal guidance for
for MACs and qualified entities, but it has not developed equivalent guidance for researchers.
Researchers must adhere to broad governmentwide standards, but are not given guidance on which
specific controls to implement. The lack of specific guidance increases the risk that external
entities possessing agency data may not have applied security controls that meet CMS standards.
Additionally, CMS has established an oversight program for the security of MAC data, but has not
established a corresponding program to oversee security implementation by researchers and qualified
entities. 6 Mar 2018
is an information sharing and analysis effort serving the interests and combining the knowledge
base of its 82 chapters with more than 46,000 members nationwide helping to protect and defend
critical infrastructures. InfraGard is a cooperative undertaking between the U.S. government
(led by the FBI and the NIPC) and an association of businesses, academic institutions,
state and local law enforcement agencies, and other participants dedicated to increasing
the security of U.S. critical infrastructures. The goal of InfraGard is to
enable the flow of information so that the owners and operators of infrastructure assets
(which are 80 to 90% privately owned) can better protect themselves and so that the U.S.
government can better discharge its law enforcement and national security responsibilities.