The Federal government’s response to the Russia-backed SolarWinds cyberhack – and the pressing need for government agencies to speed progress on putting in place cybersecurity protections including through the Continuous Diagnostics and Mitigation (CDM) program – were among issues that got top billing on March 2 as the Government Accountability Office (GAO) released the latest biennial update of its High Risk List of persistent problems in government that need fixing.
GAO, which along with Federal agency inspectors general form the backbone of Federal government oversight outside of Congress, said the latest edition of the High Risk List covers 36 areas across government that are “vulnerable to waste, fraud, abuse, and mismanagement or needing broad-based transformation.” The High Risk List encompasses thousands of existing GAO recommendations for government improvements – among them a large number that have been in place for many years and remain issues of enduring concern to the watchdog agency.
At the very top level of the latest report, the news on government progress was decidedly mixed.
GAO said that 20 of the major areas on the list “showed little change,” seven areas showed improvements, and five areas showed regressions. Two items – the Federal response to drug misuse and the government’s provision of emergency loans to small businesses through the Small Business Administration (SBA) during the coronavirus pandemic – were new additions to the High Risk List.
“The current list makes clear how much work remains to overcome a number of serious challenges facing the Federal government,” said Gene Dodaro, who heads GAO and is comptroller general of the United States. “Addressing them has the potential to save significant amounts of money and improve services that are vital to the wellbeing of the American people.”
Among the five areas showing regression in the latest GAO report was cybersecurity, and the watchdog agency was unsparing in its assessment of the lack of progress over the past two years, and the need to improve going forward.
In tracking changes to its similar assessment made two years ago, GAO said that its rating for one of five key criteria on the cybersecurity issue – leadership commitment – had declined.
Some of that sentiment stemmed from the Trump administration’s decision to eliminate the White House Cybersecurity Coordinator position in 2018, which GAO said made it unclear what executive branch official would take charge of improvement plans. On the more hopeful side, GAO noted legislation approved by Congress earlier this year to require a Senate-confirmed National Cyber Director for the executive branch to coordinate security policy and operations.
“Once this position is filled, the White House can (1) ensure that entities are effectively executing their assigned activities intended to support the nation’s cybersecurity strategy, and (2) coordinate the government’s efforts to overcome the nation’s cyber-related threats and challenges,” GAO said.
More generally, GAO largely reiterated that “Federal agencies and other entities need to take urgent actions to implement a comprehensive cybersecurity strategy, perform effective oversight, secure Federal systems, and protect cyber critical infrastructure, privacy, and sensitive data.”
GAO also flagged the government’s cybersecurity workforce needs, saying that “Federal agencies have not fully assessed and addressed” those requirements.
“Agencies’ limited implementation of these activities has been due, in part, to not making IT/cybersecurity workforce planning a priority, although laws and guidance have called for them to do so for more than 20 years,” GAO said. “Until this occurs, agencies will likely not have the staff with the necessary knowledge, skills, and abilities to address cybersecurity risks and challenges.”
CDM, FedRAMP Progress
On the program side, GAO pointed to progress with programs that the government has put in place – including CDM and FedRAMP – but said that some Federal agencies “have been challenged in implementing them.”
Regarding CDM, GAO cited an August 2020 report in which it found that three selected Federal agencies said the program had “improved their network awareness,” but also that none of the three agencies examined had yet “effectively implemented all key CDM program requirements.”
Speaking with reporters today, Dodaro said that “CDM is an important tool” in efforts to improve government agency security, but also wondered whether the tools that the program works to put in place are adequate to the task. CDM tools, he said, “have been important in identifying known risks versus unknown risks,” but, he added, “we need different tools.”
“Agencies have incomplete security programs,” he continued, and “weaknesses in incident response capabilities … they don’t move as quickly as they need to.” He added, “we need to respond faster and better as well.”
Likewise, with FedRAMP, GAO noted its report in late 2019 that while the Office of Management and Budget (OMB) required agencies to use FedRAMP to authorize the use of cloud services, “it did not monitor or ensure that agencies were doing so.”
“We also reported that FedRAMP participants identified a number of challenges, such as a lack of agency resources required to authorize a cloud service or those needed by the provider to implement the program’s requirements,” GAO said “While GSA had taken steps aimed at addressing these challenges, its guidance on FedRAMP’s requirements and participant’s responsibilities were not always clear and the program’s process for monitoring the status of security controls over cloud services was limited.”
SolarWinds Report Coming
Dodaro told reporters that GAO is “looking at the SolarWinds issue right now” in an attempt to “unwrap different dimensions” of the hack and its implications. “We’ll have additional recommendations forthcoming,” he said.
The GAO chief flagged security weaknesses in the IT supply chain as a significant challenge and “one of the problems that led to the SolarWinds attack … that goes to the heart of the SolarWinds incident.”
Speaking during the same press conference, Sen. Rob Portman, R-Ohio, said he favored the Department of Homeland Security (DHS) taking the lead role in the Federal government on cybersecurity, rather than have the responsibility divided among DHS, the Pentagon, and intelligence agencies. “My own bias is we don’t have the accountability and coordination that we need,” he said, adding, “I think that would rest well with DHS.”
“We need a central coordinating authority to make sure that agencies are on track” with security, Sen. Portman said.
Dodaro expressed agreement with the idea of more coordination on Federal cybersecurity, and spoke favorably of the idea of a Senate-confirmed official for that role in the executive branch.
Enduring Cyber Challenges Remain
Dodaro reminded today that cybersecurity is a long-standing government problem, and has been on the High Risk List since 1997. GAO, he said, “has been trying to get attention to this ever since.”
“So far, the Federal government has made a lot of efforts” to improve security, he said, “but not at a pace commensurate with the growing threat.”
“This needs to change,” Dodaro said.
GAO said the Federal government’s four “major” cybersecurity challenges are:
- Establishing and implementing a comprehensive cybersecurity strategy and performing effective oversight;
- Securing Federal systems and information;
- Protecting cyber critical infrastructure; and
- Protecting privacy and sensitive data.
Needed to solve those are ten “critical actions” identified by GAO. Among them:
- Improving on supply chain risks;
- Ensuring security of emerging technologies like AI and internet of things;
- Better assessing risks to Federal systems;
- Improving Federal responses to cyber incidents;
- Strengthening the Federal role in the protection of critical infrastructure sectors including the power grid; and
- Improving data privacy and security.