The Government Accountability Office (GAO) scolded a trio of federal agencies on Monday because their CIOs haven’t implemented IT-related recommendations designed to safeguard national cybersecurity.
The GAO flagged failures at the General Services Administration (GSA), Environmental Protection Agency (EPA), and Department of Homeland Security (DHS) in the three reports, with each guilty of not implementing more recommendations than the last. The DHS’ CIO, in particular, has 43 unresolved recommendations from as far back as 2018, seven of which the GAO identified as priority matters. The GSA only has four outstanding items, while the EPA has 11.
While the recommendation implementation failures vary per agency, a couple of commonalities emerged in all three reports, namely the GSA, EPA, and DHS’ collective failure to properly log cybersecurity events and conduct annual IT portfolio reviews, both of which are required under various policies.
Aside from those similarities, how the agencies have fallen behind on implementing GAO IT recommendations varies.
The GSA got off the easiest, with its two other recommendations pertaining to proper implementation of Trump’s 2020 executive order on AI that requires agencies to report their AI use cases and asks them to match all AI deployments to a particular purpose. DHS got called out for the same shortcoming.
The EPA has cloud software management problems
Of the EPA’s 11 outstanding GAO recommendations, several pertain to bad cloud software management.
According to the report, the EPA hasn’t bothered to submit required documentation to the FedRAMP program office to ensure it’s complying with that program’s cloud security requirements, nor has it bothered to maintain a list of corrective actions being taken to track weaknesses in said platforms.
Speaking of cloud services, it doesn’t appear that the EPA has been maintaining proper service level agreements with the cloud providers it does business with either. The EPA also hasn’t bothered to identify which IT systems may be ready for replacement, hasn’t looked into whether its air quality systems need an update, and hasn’t conducted a requested inventory of its IoT devices in time to meet a deadline.
Finally, the GAO said that the EPA still hasn’t established a process for conducting an organization-wide cybersecurity risk assessment, despite first being asked to do so in 2018.
DHS still has an unstable HART beat
You may recall that, in 2023, we reported on a number of shortcomings in the DHS’ Homeland Advanced Recognition Technology, or HART, program identified by the GAO. All nine HART recommendations remain open, signaling that DHS has not yet implemented any of them.
Per yesterday’s report, HART is still behind schedule without a proper accounting of costs, resolution of privacy concerns, or establishment of proper privacy controls. It doesn’t even have sufficient documentation on how it’ll maintain security for all of the PII stored in HART systems.
But that’s not all.
DHS is apparently also not properly coordinating with the federal CIO on “high-risk IT investment reviews” as required by federal regulation, hasn’t established Agile software development training requirements despite being required to do so, and hasn’t transitioned its systems to IPv6 despite requirements.
The CIOs at the US Secret Service and the Coast Guard were also covered in the DHS report, and they’ve definitely forgotten to implement some critical IT-related requests, too.
The Secret Service’s IT training and workforce planning have been messy for years, per the GAO, with the org failing to ensure IT workers complete required training. The USSS even failed to define what that training should be.
The Coast Guard, on the other hand, isn’t implementing IT programs properly, having failed to develop network capacity planning policies, inventory its operational technology inventory, and deploy DoD risk management frameworks.
In short, it’s a mess over there.
GAO hopes new CIOs will be the fix they need
A trio of reports like these can easily be seen as a bunch of nastygrams to agencies from auditors begging for compliance, but the GAO assures us that’s not the case.
“Historically, agencies often struggle to address outstanding recommendations due to issues such as staffing, resources, and technical challenges,” GAO IT and cybersecurity director Vijay D’Souza told The Register in an email. “These letters will help to inform recently appointed CIOs on these issues.”
And if those new Trump 2.0 CIOs can’t turn things around, there’s always Congress.
Most of the recommendations in the trio of GAO reports fall under two areas it considers high risk: National cybersecurity and improving IT acquisitions and management.
“We track and report the status of these areas and issue reports at the start of each new Congress,” D’Souza told us. “We also have ongoing conversations with our Congressional clients on the status of recommendations and sent copies of these letters to the appropriate congressional committees.”
In other words, those with the authority to enforce the GAO’s polite recommendations will be hearing about this. That’s already driven “a few agencies” to reach out and discuss those outstanding recommendations, D’Souza said. So far, so good – now we just have to see some follow through. ®
