Cybersecurity

Overview

Federal agencies and our nation’s critical infrastructure—such as energy, transportation systems, communications, and financial services—depend on IT systems to carry out operations and process essential data.

But the risks to these IT systems are increasing—including insider threats from witting or unwitting employees, escalating and emerging threats from around the globe, and the emergence of new and more destructive attacks. Rapid developments in new technologies, such as artificial intelligence, the Internet of Things, and ubiquitous Internet and cellular connectivity, can also introduce security issues.

Over 28,000 security incidents were reported by federal civilian agencies to the Department of Homeland Security in FY 2019.

28,581 total information security incidents

Additionally, since many government IT systems contain vast amounts of personally identifiable information (PII), federal agencies must protect the confidentiality, integrity, and availability of this information—and effectively respond to data breaches and security incidents. Likewise, the trend in the private sector of collecting extensive and detailed information about individuals needs appropriate limits.

To highlight the importance of these issues, GAO has designated information security as a government-wide high-risk area since 1997. This high-risk area was expanded in 2003 to include the protection of critical cyber infrastructure and, in 2015, to include protecting the privacy of PII.

Ten critical actions needed to address four major cybersecurity challenges

GAO has made about 3,300 recommendations to federal agencies to address cybersecurity shortcomings—and we reported that more than 750 of these had not been fully implemented as of December 2020. Of these more than 750 recommendations, we designated 67 as priority recommendations, meaning that we believe these recommendations warrant priority attention from heads of key departments and agencies. Until these shortcomings are addressed, federal and critical infrastructure IT systems will be increasingly susceptible to cyber threats.

For more on GAO's reports and recommendations, see the key reports tab above.

Key Reports

High-Risk Series: Federal Government Needs to Urgently Pursue Critical Actions to Address Major Cybersecurity Challenges

GAO-21-288

Published: Mar 24, 2021.

Publicly Released: Mar 24, 2021.

Electricity Grid Cybersecurity: DOE Needs to Ensure Its Plans Fully Address Risks to Distribution Systems

GAO-21-81

Published: Mar 18, 2021.

Publicly Released: Mar 18, 2021.

Cybersecurity and Infrastructure Security Agency: Actions Needed to Ensure Organizational Changes Result in More Effective Cybersecurity for Our Nation

GAO-21-236

Published: Mar 10, 2021.

Publicly Released: Mar 10, 2021.

Weapon Systems Cybersecurity: Guidance Would Help DOD Programs Better Communicate Requirements to Contractors

GAO-21-179

Published: Mar 04, 2021.

Publicly Released: Mar 04, 2021.

Defined Contribution Plans: Federal Guidance Could Help Mitigate Cybersecurity Risks in 401(k) and Other Retirement Plans

GAO-21-25

Published: Feb 11, 2021.

Publicly Released: Mar 15, 2021.

Cyber Diplomacy: State Should Use Data and Evidence to Justify Its Proposal for a New Bureau of Cyberspace Security and Emerging Technologies