GAO has issued another call to boost cybersecurity staffing in federal agencies–a theme repeatedly sounded by that agency an others for years–as part of an overall strategy to strengthen the government’s defenses.
GAO noted that from fiscal year 2006 through fiscal year 2015, the number of security incidents reported by federal agencies increased from 5,503 to 77,183. That figure dropped in fiscal 2016 to 33,632 in 2016, a decrease GAO attributed to revised incident reporting requirements that no longer require agencies to report non-cyber incidents or attempted scans or probes of agency networks.
The latest report said that while well recognized, the personnel aspect of cybersecurity “has been a long-standing dilemma for the federal government.” Issues include having sufficient staff allotments; recruiting, hiring, and retaining personnel; and ensuring that they have appropriate skills and expertise.
It cited a prior report in which it found that of eight agencies studied, only five had developed workforce plans that addressed cybersecurity, all eight reported challenges with filling cybersecurity positions, and only three had a department-wide training program for their cybersecurity workforce.
The report noted that GAO has made about 2,500 recommendations to agencies aimed at improving the security of federal systems and information over the last several years. The latest report characterized the government’s other primary needs as: implementing risk-based entity-wide information security programs consistently over time; improving incident detection, response, and mitigation; strengthening cyber protection of critical infrastructure; and better controlling personally identifying information.