In our September 12, 2018 cybersecurity newsletter, we wrote about the warning sounded by the United States Government Accountability Office (GAO) in a report in which it found that urgent action was required to address the cybersecurity challenges facing the nation and the nation’s critical infrastructure, such as energy, transportation systems, communications and financial services. The 2018 report further noted that over 1,000 of the more than 3,000 recommendations it had made since 2010 to secure, among other things, critical information systems had not been implemented by most federal government agencies. This past month, the GAO again sounded the alarm, issuing another report that found that government agencies are not implementing key practices to minimize the “risk of cyber-based incidents that threaten national security and personal privacy.”  Click here for the July 2019 Report.

Specifically, the July 2019 GAO report found agencies lacking in the establishment of a cybersecurity risk management program that included “designating a cybersecurity risk executive, developing a risk management strategy and policies to facilitate risk-based decisions, assessing cyber risks to the agency, and establishing coordination with the agency’s enterprise risk management (ERM) program.” Even if most agencies designated a risk executive, those same agencies were found by GAO not to implement other key practices in their programs. The report, which involved the review of the cybersecurity practices of 23 agencies, found:

  • Twenty-two agencies established the role of cybersecurity risk executive, to provide agency-wide management and oversight of risk management.

  • Sixteen agencies have not fully established a cybersecurity risk management strategy to delineate the boundaries for risk-based decisions.

  • Seventeen agencies have not fully established agency- and system-level policies for assessing, responding to, and monitoring risk.

  • Eleven agencies have not fully established a process for assessing agencywide cybersecurity risks based on an aggregation of system-level risks.

  • Thirteen agencies have not fully established a process for coordinating between their cybersecurity and ERM programs for managing all major risks.

The report also noted that a number of agencies identified a number of challenges with being able to fully implement a cybersecurity risk management program, as set forth in the following table from the GAO:


In its latest report, the GAO made a total of 57 recommendations to the 23 civilian agencies, with specific actions delineated by agency that are set forth in Appendix XII to the report. Generally, across the board, the actions the GAO found agencies should take include the development of a cybersecurity risk management strategy that incorporate specific recommendations. The report found that while all agencies had taken steps to establish risk management programs, they were not consistent and did not fully address “key practices that are foundational to effectively managing cybersecurity risks.” In that regard, the report identified gaps in the agencies’ programs that effect their ability to implement risk-based practices and the absence of a process for risk assessment, which may limit their ability to recognize and mitigate risks.  

As in the past, the report notes the critical actions that it believes must be implemented to minimize the threat from cyber-attacks. While its cybersecurity recommendations relate to government agencies and the persistent threats they face from state and bad actors, many organizations may find wish to consider and incorporate them into their own cybersecurity programs, depending upon their own risk assessments and applicable laws and regulations.