Agencies in the United States receive low marks for failing to adhere to top-notch Information Technology standards
The Government Accountability Office (GAO) has issued a scathing report, highlighting failures in implementing IT-related cybersecurity safeguards at three key federal agencies: the General Services Administration (GSA), Environmental Protection Agency (EPA), and Department of Homeland Security (DHS).
The report points out that these agencies have been criticised for failing to implement critical IT-related cybersecurity recommendations that are vital for national cybersecurity.
Specifically, the GAO reported that:
- The DHS has 43 unresolved IT recommendations, including seven priority items dating back to 2018.
- The EPA has 11 outstanding recommendations.
- The GSA has 4 outstanding recommendations.
Common deficiencies among these agencies include failure to properly log cybersecurity events and conduct annual IT portfolio reviews, which are mandatory under federal policies. For instance, both the GSA and DHS failed to fully implement an executive order from 2020 concerning artificial intelligence deployment and reporting[1].
In practical terms, these agencies have not sufficiently addressed crucial aspects such as:
- Cyber event logging and detection
- IT asset management and portfolio reviews
- Proper implementation of federal mandates on emerging technologies like AI
These implementation failures hinder the agencies' ability to strengthen their cybersecurity defenses effectively, despite GAO's repeated recommendations.
While the DHS plays a critical role in national cybersecurity through initiatives like the Cybersecurity and Infrastructure Security Agency (CISA), which supports state, local, tribal, and territorial cyber defense and critical infrastructure resilience, its own internal cybersecurity recommendation implementation remains lacking[4].
The GAO's report also flags issues with the DHS' Homeland Advanced Recognition Technology (HART) program, which still has all nine recommendations open, indicating that DHS has not yet implemented any of them. Additionally, the EPA has not submitted required documentation to the FedRAMP program office, nor has it maintained a list of corrective actions for cloud security weaknesses.
Moreover, the EPA has been struggling with issues related to poor cloud software management, failing to maintain proper service level agreements with cloud providers, and not identifying IT systems for replacement or updating its air quality systems.
In summary, the EPA, GSA, and DHS have not adequately addressed the GAO's IT-related national cybersecurity recommendations. This shortcoming undermines their ability to safeguard federal information systems and infrastructure securely[1].
[1] Reference: [Link to the original GAO report] [4] Reference: [Link to the DHS CISA website]
- The GAO's report critiques the failure of the DHS, EPA, and GSA to implement IT-related cybersecurity recommendations, essential for national cybersecurity.
- The DHS has 43 unresolved IT recommendations, including seven priority items dating back to 2018, and the EPA has 11 outstanding ones.
- The GSA hasn't addressed four critical IT-related recommendations, and one common deficiency among these agencies involves not properly logging cybersecurity events and conducting annual IT portfolio reviews.
- The agencies have not sufficiently addressed cyber event logging and detection, IT asset management, and implementing federal mandates on emerging technologies like AI.
- The DHS' Cybersecurity and Infrastructure Security Agency (CISA) plays a crucial role in national cybersecurity, but the DHS itself has yet to fully implement an Executive Order from 2020 concerning AI deployment and reporting.
- The EPA's issues include poor cloud software management, failing to maintain proper service level agreements with cloud providers, and not identifying IT systems for replacement or updating its air quality systems, which is detrimental to their overall security posture in line with GAO's recommendations.
