Citation[]
Government Accountability Office, Cybersecurity: Agencies Need to Fully Establish Risk Management Programs and Address Challenges (GAO-19-384) (July 25, 2019) (full-text).
Overview[]
Federal agencies face a growing number of cyber threats to their systems and data. To protect against these threats, federal law and policies emphasize that agencies take a risk-based approach to cybersecurity by effectively identifying, prioritizing, and managing their cyber risks. In addition, the OMB and DHS play important roles in overseeing and supporting agencies' cybersecurity risk management efforts.
The GAO was asked to review federal agencies' cybersecurity risk management programs. The GAO examined (1) the extent to which agencies established key elements of a cybersecurity risk management program; (2) what challenges, if any, agencies identified in developing and implementing cybersecurity risk management programs; and (3) steps the OMB and DHS have taken to meet their risk management responsibilities and address any challenges agencies face.
The GAO has made 57 recommendations to the 23 agencies and one to the OMB, in coordination with the DHS, to assist agencies in addressing challenges.