The Government Accountability Office (GAO) needs to do more work to protect data and systems through privacy program improvements, an agency Office of Inspector General (OIG) report found.
The OIG looked into GAO’s information systems against select fiscal year (FY) 2021 IG Federal Information Security Modernization Act (FISMA) reporting metrics and found areas for improvement in managing data protection and privacy.
GAO has taken steps in protecting sensitive information and prevent data exfiltration. But the OIG said the agency has more opportunities to improve its privacy program in incident response. and training for people with specific roles.
The OIG found that GAO’s Incident Response plan “does not contain all the recommended elements for addressing incidents involving Personally Identifiable Information (PII).” It said that all GAO employees and contractors receive privacy training annually, however, the training for personnel with role-specific responsibility for PII has not been consistently implemented.
The OIG also performed a penetration test to assess the effectiveness of controls in the configuration management and information security continuous monitoring categories, but did not identify any significant vulnerabilities that would result in a compromise.
The OIG made a couple recommendations which were agreed to by GAO, including:
- Define and implement policies and procedures for incident response that aligns with guidance from the National Institute of Standards and Technology (NIST) for assessing privacy impact and incidents; and
- Define and implement policies and procedures for role-based privacy training to identify who must regularly take the training, and ensure annual compliance with the training.