GAO report faults CIOs, OMB for slow adoption of cybersecurity recommendations

The US General Accountability Office (GAO) issued the 19-page report, “Cybersecurity and Information Technology: Federal Agencies need to Strengthen Efforts to Address High-Risk Areas” on July 29. It was preceded by President Biden’s comments made to the Office of the Director National Intelligence and staff and the leadership of the intelligence community on July 27. Both pointed out shortcomings in the cyber readiness of the United States government.

The President’s comments to the intel community caused a bit of a stir when he said, “If we [United States] end up in a war, a real shooting war with a major power, it’s going to be as a consequence of a cyber breach of great consequence.”

The President’s thoughts were not made in coordination with the GAO, yet one could argue he displayed a bit of prescience when he uttered the cause of a future conflagration being found within a “cyber breach of great consequence.”

To that end, the GAO report was all about highlighting gaps and work to be done. It identified four areas of great import:

1. Establishing a comprehensive cybersecurity strategy and performing effective oversight
2. Securing federal systems and information
3. Protecting critical infrastructure
4. Protecting privacy and sensitive data

General Accountability Office

GAO continued within the report to signal how the US federal government is ripe for a cyber failure, highlighting “key cybersecurity challenges” needing the government’s attention.

1. Develop and execute a more comprehensive federal strategy for national cybersecurity and global cyberspace.
2. Mitigate global supply chain risks.
3. Address weaknesses in federal agencies information security programs.

Frustration from the GAO on the need to be repetitive in their admonishments is evident as they discuss recommendations: “Federal agencies have implemented about 73% of the approximately 5,100 recommendations that GAO has made since 2010 on cybersecurity and IT management. However, about 950 cybersecurity and approximately 300 IT recommendations have not been implemented. Actions are needed on these to successfully address the high-risk areas.”

GAO’s cybersecurity recommendations

The GAO called it as they saw it, highlighting how “federal IT investments often suffer from a lack of disciplined and effective management.” They noted, again, the how 23 agencies have failed in their efforts to put together a comprehensive risk management strategy. They also called onto the carpet the National Security Council (NSC) for its silence in addressing the recommendation that the NSC work with various government entities to formulate and update a national security strategy.

Who is going to lead the creation of a national cybersecurity strategy?

In April 2021, President Biden nominated former deputy director of NSA, John “Chris” Inglis, as the first National Cyber Director and in June 2021, the Senate confirmed this nomination. The Cybersecurity and Infrastructure Security Agency (CISA) saw the Senate confirmation of Jen Easterly, a former NSA and Cyber Command official, to the role of director CISA.

Upon the confirmation of Inglis, Senator Angus King (I-ME) commented, “America is a uniquely connected nation, but that leaves us especially exposed to bad actors, and our cyber vulnerabilities are being exploited to make our nation less safe.”

It stands to reason that the national cybersecurity strategy formulation and implementation will fall under the purview of these two new leaders and should be on their “to do list,” as they snap-in to their new roles.

The role of federal CIOs

In August 2018, the GAO had recommended, government-wide, how the CIO’s role across government needed to evolve to align with federal law and OMB’s guidance. The guidance, quite basic, makes sure CIOs and staff “have the necessary knowledge and skills to effectively acquire IT.” As of July 2021, only three of the 24 major federal agencies had taken action to adopt the GAO recommendations. Meanwhile, OMB must adjust their guidance to affect change and the CIO responsibilities. Until this occurs, CIO offices they will be operating at a deficit, and “may not have the personnel needed to effectively acquire, maintain and secure their IT systems.”

OMB as gatekeeper

The Office of Management and Budget (OMB) had been identified in December 2020 as the gatekeeper of the funds allocated in the Technology Modernization Fund (TMF). The GAO report chastised the OBM for not having:

1. Developed a plan to address the challenges with the operating fund
2. Clarified guidance for agencies on awarding projects

Congress and the President, through legislature, allocated an additional $1 billion to the TMF. As of July 2021, OMB had not yet taken the necessary steps to help the CIOs do their job. Indeed, the report highlights how only 11 projects, valued at $89 million have been awarded to date by seven federal agencies. The GAO will continue to evaluate OMB’s effort in relation to the TMF with the intent to issue a report by the end of CY2021.  

GAO’s conclusions

For those within government and supporting government IT and information security efforts, the fact that the government is targeted by foreign adversaries is not hypothetical. On Friday, July 30, the US Department of Justice revealed that 27 US attorney offices had at least one employee’s email compromised in the SolarWinds attack attributed to Russia. Additionally, the Eastern, Northern, Southern and Western Districts of New York had approximately 80% of their employees’ emails compromised.

The President’s commentary concerning the likelihood of the next armed conflict being set off by a major cyber breach, while sobering, should be equally as motivating for the OMB and federal agencies to update federal CIO authorities, IT processes and procedures to secure government systems.

Again, approximately 1,250 GAO recommendations have not been implemented across government. The GAO report concludes with how “longstanding and pervasive weaknesses continue to jeopardize the security and effectiveness of federal agencies’ IT and electronic data and the safety of our nation’s critical infrastructures. Federal agencies and OMB have taken some important actions; nevertheless, further actions are needed.”

With gaps identified and guidance provided from budgeting to procurement to implementation, CIO offices across government have their marching orders.