US federal agencies have poor cyber risk management

By Dylan Bushell-Embling
Tuesday, 06 August, 2019

US federal agencies have poor cyber risk management

The US Government Accountability Office (GAO) has conducted a forensic audit into the cybersecurity risk management practices of 23 federal agencies, finding a number of serious shortcomings.

The audit found that 16 of the agencies had not fully established a cybersecurity risk management strategy.

In addition, 17 have not fully established agency- and system-level policies for assessing, responding to and monitoring risk, and 13 had not fully established a process for coordinating between their cybersecurity and enterprise risk management programs for managing all major risks.

All of the agencies audited reported challenges in hiring and retaining key cybersecurity management-level staff, while 19 reported challenges managing competing priorities between operations and cybersecurity.

Other common challenges involve establishing and implementing consistent policies and procedures (reported by 18 agencies), establishing and implementing standardised technology capabilities (18), receiving quality risk data (18), using federal cybersecurity risk management guidance (16), developing an agency-wide risk management strategy (15) and Incorporating cyber risks into enterprise risk management (14).

On the positive side, 22 of the 23 agencies had established the dedicated role of cybersecurity risk executive.

The GAO also gave 58 recommendations for the 23 agencies to bolster their approach to cybersecurity risk management, including the development of processes for agencies to share methods for addressing cybersecurity challenges.

The remaining 57 recommendations were for individual agencies, and covered areas including developing or updating cybersecurity risk management strategies, requiring various departments to conduct organisation-wide risk assessments and establishing processes for coordination between cybersecurity and enterprise risk management functions.

The audit found that cybersecurity represents a growing threat to government agencies. In the 2017 financial years, federal agencies reported a total of 35,277 incidents to the US CERT.

By way of example, the report notes a recent joint alert from the Department of Homeland Security and the FBI stating that cybercriminals linked to the Russian government had been targeting federal government IT systems since at least March 2016.

Image credit: ©

Please follow us and share on Twitter and Facebook. You can also subscribe for FREE to our weekly newsletter and quarterly magazine.

Related Articles

My Health Record privacy complaints spiked in 2018–19

Complaints to the Office of the Australian Information Commissioner related to the My Health...

LGPA calls for federal aid in tackling cyber threats

Local Government Professionals Australia has called on Canberra to adopt a five-point plan to...

Victorian hospitals infected by ransomware

A number of hospitals and health services in parts of Victoria have fallen victim to a ransomware...

  • All content Copyright © 2019 Westwick-Farrow Pty Ltd