The GAO has found that agencies still are not in compliance with cybersecurity risk management best practices, saying that “until they address these practices, agencies will face an increased risk of cyber-based incidents that threaten national security and personal privacy.”
Regarding cybersecurity practices, in a review of 23 agencies GAO found that they almost always designated a risk executive and 22 had established the role of cybersecurity risk executive, to provide agency-wide management and oversight of risk management. However, 16 have not fully established a cybersecurity risk management strategy to delineate the boundaries for risk-based decisions; 17 have not fully established agency- and system-level policies for assessing, responding to, and monitoring risk; 13 have not fully established a process for coordinating between their cybersecurity and ERM programs for managing all major risks; and 11 have not fully established a process for assessing agency-wide cybersecurity risks based on an aggregation of system-level risks.
All 23 named “hiring and retaining key cybersecurity management personnel” as a challenge to their cybersecurity risk management program, while 19 cited managing competing priorities between operations and cybersecurity, and 18 each cited establishing and implementing consistent policies and procedures, establishing and implementing standardized technology capabilities, and receiving quality risk data.
GAO said that existing OMB and DHS guidance addresses only some of those issues and that “without additional guidance or assistance to mitigate these challenges, agencies will likely continue to be hindered in managing cybersecurity risks.”