Modern commercial airplanes use avionics systems and networks to share data—for GPS, weather, and communications—with pilots, maintenance crews, other aircraft, and air traffic controllers. Protection from cyberattacks is critical to safety. Airplane manufacturers have cybersecurity controls in place and there haven't been reports of successful cyberattacks on commercial airplane IT systems to...

5G will dramatically increase the number of devices connected to the Internet—and the number of opportunities for hackers to steal information and wreak havoc on connected systems. The Administration issued a National Strategy to Secure 5G, which we assessed against our 6 key characteristics for effective national strategies. The plan only partially addressed 5 of the 6 characteristics. For exam...

Increasingly sophisticated threats underscore the need to bolster the cybersecurity of the nation—a topic on our High Risk List. We and others have noted an urgent need to clearly define a central leadership role to coordinate government efforts. Despite the issuance of a National Cyber Strategy in 2018, it is still unclear which executive branch official is ultimately responsible for not only c...

The U.S. and its allies face expanding foreign cyber threats as international trade, communication, and critical infrastructure grow increasingly dependent on cyberspace. In 2019, the State Department said it would establish a Bureau of Cyberspace Security and Emerging Technologies to focus on the issue. State works with other federal agencies on international cyber issues. However, it has not inf...

The financial services sector, a critical component of the nation's infrastructure that holds over $108 trillion in assets, is an increasingly attractive target for cyber-based attacks. The sector includes banks, mutual funds, and securities dealers The Treasury Department and other federal agencies are taking steps to reduce risks and bolster the sector's efforts to improve its cybersecurity. We...

DHS gives agencies cybersecurity tools that identify the hardware and software on their networks and check for vulnerabilities and insecure configurations. We reviewed how 3 agencies—the Federal Aviation Administration, Indian Health Service, and the Small Business Administration—used these tools. These agencies' hardware inventories were missing information and contained duplicates. For examp...

“Cyber hygiene” is a set of practices for managing the most common and pervasive cybersecurity risks. The Department of Defense’s cyber hygiene is critical as threats to its information and networks increase. DOD has had 3 cyber hygiene initiatives underway. These efforts are incomplete—or their status is unknown because no one is in charge of reporting on progress. DOD has also develope...

Q: How does the government help keep banks, water systems, and other critical infrastructure from getting hacked? A: A federal agency that issues standards and procedures—NIST—has a cybersecurity framework that critical infrastructure organizations can adopt. All 12 organizations in our review were voluntarily using the framework, and told us they’ve seen benefits. For example, one organiz...

Federal agencies are increasingly using cloud computing services. Cloud computing offers benefits but also poses cybersecurity risks. OMB requires agencies to use the Federal Risk and Authorization Management Program to authorize their use of cloud services. Although agencies increased their program use—authorizations were up 137% from 2017 to 2019—15 of the 24 agencies we surveyed reported t...

The nation’s electric grid is becoming more vulnerable to cyberattacks—particularly those involving industrial control systems that support grid operations. Recent federal assessments indicate that cyberattacks could cause widespread power outages in the United States, but the scale of such outages is uncertain. The Department of Energy (DOE) plays a key role in helping address cybersecurity...

To protect against cyber threats, federal agencies should incorporate key practices in their cybersecurity risk management programs. These key practices include: Designating a cybersecurity risk executive Developing a risk management strategy and policies Assessing cyber risks Coordinating between cybersecurity and enterprise-wide risk management functions All but one of the 23 agencies we r...

The Department of Defense (DOD) did not develop a comprehensive plan for U.S. Cyber Command (CYBERCOM); instead, the department submitted a report consisting of a collection of documents that fully addressed two of the six statutorily required elements; partially addressed three elements; and did not address the sixth element on DOD training activities.Table: Extent to Which the Department of Defe...

The Defense Department relies heavily on information technology to protect the nation and deter war. It requested about $36.1 billion for IT for fiscal year 2020. We looked at how cost and schedule estimates have changed in 15 major DOD IT programs and examined how software development approaches and cybersecurity practices may affect costs and timeframes. Cost estimates decreased for 11 programs...

The Department of Housing and Urban Development collects huge amounts of sensitive personal information for its housing, community investment, and mortgage loan programs. HUD often shares this information with affiliated agencies; contractors; and state, local, and tribal groups. HUD isn't taking enough action to protect information exchanged with others. The agency expects external entities to ha...

This testimony discusses our work on information technology challenges at the Department of Veterans Affairs. Despite spending over $4 billion annually on IT: VA still doesn't have IT systems that fully support critical services—e.g., veterans health care, the Family Caregiver Program, and disability benefits.Some VA IT management processes do not effectively implement federal IT acquisition law...

The federal government has spent billions on information technology projects that have failed or performed poorly. Some agencies have had massive cybersecurity failures. These IT efforts often suffered from ineffective management. We testified about 2 issues on our High Risk List: 1) IT acquisitions and operations management and 2) cybersecurity. Since 2010, agencies have implemented 64% of our 1,...

States must follow numerous cybersecurity requirements when using federal data. These requirements may vary by federal agency. State information security officials we surveyed told us, among other things, that the differing requirements cost states additional time and money, and could ultimately detract from security efforts. Among the 4 federal agencies we examined, 49% to 79% of security requi...

Terrorists and others may pose a cyber-threat to high-risk chemical facilities. Control systems, for example, could be manipulated to release hazardous chemicals. The Department of Homeland Security started a program more than a decade ago to help address these security risks. We reviewed the program. DHS guidance designed to help about 3,300 facilities comply with cybersecurity and other standar...

The Federal Communications Commission uses the Electronic Comment Filing System to receive public comments about proposed regulation changes. In May 2017, a surge of more than 22 million comments disrupted the system making it unavailable. We issued a September 2019 report with 136 recommendations for improvements in this and other FCC systems. The report was not publically released because it co...

The Office of Management and Budget has been working with federal agencies to reduce the number of outdated or duplicative federal data centers. In fiscal year 2019, agencies closed 102 centers, and planned to close 184 more. OMB also narrowed the definition of a data center, recategorizing about 2,000 facilities and excluding them from federal reporting requirements. But many of these facilities...

The Office of Congressional Workplace Rights enforces fair employment and occupational safety and health rules in the legislative branch. Congress passed a 2018 law that, among other things, required the office to create a secure online system for discrimination and harassment claims. We found weaknesses in the office’s project planning, system oversight, and cybersecurity risk management. For...

The Department of Homeland Security issues mandatory cybersecurity directives for most federal agencies. For example, one directive requires agencies to better secure their websites and email systems. If the actions specified in these directives are not addressed, agency systems can remain at risk. We found that these directives have often been effective in strengthening federal cybersecurity. Ho...