Tag: gao

Time Frames to Complete CISA Efforts Would Help Sector Risk Management Agencies Implement Statutory Responsibilities

Agency News, Cyber Security CII sector, Industry News, Power/Energy/Oil & Gas sector

Protecting critical infrastructure that helps provide necessities like water, electricity, and food is a national priority. Events like natural disasters or cyberattacks can disrupt services Americans need for daily life.

We testified that many federal agencies work to protect the nation's critical infrastructure and look to the Cybersecurity and Infrastructure Security Agency for leadership on how to do it.

A 2021 law expanded these agencies' responsibilities and added some new ones. CISA is working on guidance and more to help agencies implement these responsibilities. We've recommended that CISA set timelines for completing this work.

The William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021 expanded and added responsibilities for Sector Risk Management Agencies (SRMAs). These agencies engage with their public and private sector partners to promote security and resilience within their designated critical infrastructure sectors. Some officials from these agencies described to GAO new activities to address the responsibilities set forth in the act, and many reported having already conducted related activities. For example, the act added risk assessment and emergency preparedness as responsibilities not previously included in a key directive for SRMAs. New activities officials described to address these responsibilities included developing a communications risk register and developing emergency preparedness exercises.

The Department of Homeland Security's (DHS) Cybersecurity and Infrastructure Security Agency (CISA) has identified and undertaken efforts to help SRMAs implement their statutory responsibilities. For example, CISA officials stated they are updating key guidance documents, including the 2013 National Infrastructure Protection Plan and templates for revising sector-specific guidance documents. CISA officials also described efforts underway to improve coordination with sector partners, such as reconvening a leadership council. SRMA officials for a majority of critical infrastructure sectors reported that additional guidance and improved coordination from CISA would help them implement their statutory responsibilities. However, CISA has not developed milestones and timelines to complete its efforts. Establishing milestones and timelines would help ensure CISA does so in a timely manner.
Why GAO Did This Study

Critical infrastructure provides essential functions––such as supplying water, generating energy, and producing food––that underpin American society. Disruption or destruction of the nation's critical infrastructure could have debilitating effects. CISA is the national coordinator for infrastructure protection.

The William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021 includes a provision for GAO to report on the effectiveness of SRMAs in carrying out responsibilities set forth in the act. This statement addresses (1) how the act changed agencies' responsibilities, and the actions agencies have reported taking to address them; and (2) the extent to which CISA identified and undertook efforts to help agencies implement their responsibilities set forth in the act.

This statement is based on GAO's February 2023 report on SRMA efforts to carry out critical infrastructure protection responsibilities and CISA's efforts to help SRMAs implement those responsibilities. For that report, GAO analyzed the act and relevant policy directives, collected written responses from all 16 sectors using a standardized information collection tool, reviewed other DHS documents, and interviewed CISA officials.

In its February 2023 report, GAO recommended that CISA establish milestones and timelines to complete its efforts to help sector risk management agencies carry out their responsibilities. DHS concurred with the recommendation. Additionally, GAO has made over 80 recommendations which, when fully implemented, could help agencies address their statutory responsibilities.

Leave a comment , , ,

GAO Wants Time Frames to Complete DHS Efforts on Critical Infrastructure Security

Agency News, Cyber Security CII sector, Industry News, Organisation Types, Power/Energy/Oil & Gas sector, Telecomms sector, Transport sector

Protecting critical infrastructure—like water supplies, electricity grids, and food production—is a national priority. Events like natural disasters or cyberattacks can disrupt services that Americans need for daily life.

Many federal agencies are tasked with protecting the nation's critical infrastructure and look to the Cybersecurity and Infrastructure Security Agency for leadership on how to do it.

A 2021 law expanded these agencies' responsibilities and added some new ones. CISA is working on guidance and more to help agencies implement these responsibilities. We recommended that CISA set timelines for completing this work.

GAO found that the William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021 expanded and added responsibilities for sector risk management agencies. These agencies engage with their public and private sector partners to promote security and resilience within their designated critical infrastructure sectors. Some officials from these agencies described new activities to address the responsibilities set forth in the act, and many reported having already conducted related activities. For example, the act added risk assessment and emergency preparedness as responsibilities not previously included in a key directive for sector risk management agencies. New activities officials described to address these responsibilities included developing a risk analysis capability and updating emergency preparedness products.

The Department of Homeland Security's (DHS) Cybersecurity and Infrastructure Security Agency (CISA) has identified and undertaken efforts to help sector risk management agencies implement their statutory responsibilities. For example, CISA officials stated they are updating key guidance documents, including the 2013 National Infrastructure Protection Plan and templates for revising sector-specific guidance documents. CISA officials also described efforts underway to improve coordination with sector partners, such as reconvening a leadership council. Sector risk management agency officials for a majority of critical infrastructure sectors reported that additional guidance and improved coordination from CISA would help them implement their statutory responsibilities. However, CISA has not developed milestones and timelines to complete its efforts. Establishing milestones and timelines would help ensure CISA does so in a timely manner.

Why GAO Did This Study

Critical infrastructure provides essential functions––such as supplying water, generating energy, and producing food––that underpin American society. Disruption or destruction of the nation's critical infrastructure could have debilitating effects. CISA is the national coordinator for infrastructure protection.

The William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021 includes a provision for GAO to report on the effectiveness of sector risk management agencies in carrying out responsibilities set forth in the act. This report addresses (1) how the act changed agencies' responsibilities, and the actions agencies have reported taking to address them; and (2) the extent to which CISA has identified and undertaken efforts to help agencies implement their responsibilities set forth in the act.

GAO analyzed the act and relevant policy directives, collected written responses from all 16 sectors using a standardized information collection tool, reviewed other DHS documents, and interviewed CISA officials.

Recommendations

The Director of CISA should establish milestones and timelines to complete its efforts to help sector risk management agencies carry out their responsibilities. DHS concurred with the recommendation. Additionally, GAO has made over 80 recommendations which, when fully implemented, could help agencies address their statutory responsibilities.

Recommendations for Executive Action
Agency Affected
Cybersecurity and Infrastructure Security Agency

Recommendation
The Director of CISA should establish milestones and timelines for its efforts to provide guidance and improve coordination and information sharing that would help SRMAs implement their FY21 NDAA responsibilities, and ensure the milestones and timelines are updated through completion. (Recommendation 1)

Actions to satisfy the intent of the recommendation have not been taken or are being planned.

Leave a comment , , , ,

Cybersecurity High-Risk Series: Challenges in Protecting Cyber Critical Infrastructure

Agency News, Cyber Security CII sector, Industry News

Federal systems are vulnerable to cyberattacks. High Risk report identified 10 critical actions for addressing federal cybersecurity challenges.

In this report, the third in a series of four, GAO covers the action related to protecting cyber critical infrastructure—specifically, strengthening the federal role in cybersecurity for critical infrastructure. For example, the Department of Energy needs to address cybersecurity risks to the U.S. power grid.

The GAO made 106 public recommendations in this area since 2010. Nearly 57% of those recommendations had not been implemented as of December 2022.

Strengthen the Federal Role in Protecting Cyber Critical Infrastructure

The U.S. grid’s distribution systems—which carry electricity from transmission systems to consumers and are regulated primarily by states—are increasingly at risk from cyberattacks. Distribution systems are growing more vulnerable, in part because of industrial control systems’ increasing connectivity. As a result, threat actors can use multiple techniques to access those systems and potentially disrupt operations.

Examples of Techniques for Gaining Initial Access to Industrial Control Systems

GAO reported in March 2021 that DOE, as the lead federal agency for the energy sector, developed plans to help combat these threats and implement the national cybersecurity strategy for the grid. However, DOE’s plans do not address distribution systems’ vulnerabilities related to supply chains. By not having plans that address the improvement to grid distribution systems’ cybersecurity, DOE’s plans will likely be of limited use in prioritizing federal support to states and industry.

➢ GAO recommended that, in developing plans to implement the national cybersecurity strategy for the grid, DOE coordinate with DHS, states, and industry to more fully address risks to the grid’s distribution systems from cyberattacks.

The communications sector is an integral component of the U.S. economy and faces serious physical, cyber-related, and human threats that could affect the operations of local, regional, and national level networks, according to CISA and sector stakeholders. In addition to managing federal coordination during incidents impacting the communications sector, CISA shares information with sector stakeholders to enhance their cybersecurity and improve interoperability, situational awareness, and preparedness for responding to and managing incidents.

Examples of Potential Security Threats to the Communications Sector

In November 2021, we reported that CISA had not assessed the effectiveness of its programs and services supporting the security and resilience of the communications sector. By completing such an assessment, CISA would be better positioned to determine which programs and services are most useful or relevant in supporting the sector’s security and resilience. We also reported that CISA had not updated its 2015 Communications Sector-Specific Plan. Developing and issuing a revised plan would help CISA to address emerging threats and risks to the communications sector.

➢ GAO recommended that CISA assess the effectiveness of its programs and services to support the communications sector and, in coordination with public and private communications sector stakeholders, produce a revised Communications Sector-Specific Plan.

Ransomware is a form of malicious software that threat actors use in a multistage attack to encrypt files on a device and render data and systems unusable. These threat actors then demand ransom payments in exchange for restoring access to the locked data and systems.

Four Stages of a Common Ransomware Attack

In September 2022, we reported that CISA, FBI, and Secret Service provide assistance in preventing and responding to ransomware attacks on tribal, state, local, and territorial government organizations. However, the agencies could improve their efforts by fully addressing six of seven key practices for interagency collaboration in their ransomware assistance to state, local, tribal, and territorial governments. For instance, existing interagency collaboration on ransomware assistance to tribal, state, local, and territorial governments was informal and lacked detailed procedures.

➢ GAO recommendeds that DHS and the Department of Justice address identified challenges and incorporate key collaboration practices in delivering services to state, local, tribal, and territorial governments.

GAO have made 106 recommendations in public reports since 2010 with respect to protecting cyber critical infrastructure. Until these are fully implemented, federal agencies will be more limited in their ability to protect private and sensitive data entrusted to them. For more information on this report, visit https://www.gao.gov/cybersecurity.

Leave a comment , , , ,

Cybersecurity High-Risk Series: Challenges in Securing Federal Systems and Information

Agency News, Cyber Security CII sector, Industry News

Federal systems are vulnerable to cyberattacks. Our High Risk report identified 10 critical actions for addressing federal cybersecurity challenges.

In this report, the second in a series of four, we cover the 3 actions related to Securing Federal Systems and Information:

- Improve implementation of government-wide cybersecurity initiatives
- Address weaknesses in federal agency information security programs
- Enhance the federal response to cyber incidents to better protect federal systems and information

GAO has made about 712 recommendations in public reports since 2010 with respect to securing federal systems and information. Until these are fully implemented, federal agencies will be more limited in their ability to protect private and sensitive data entrusted to them. For more information on this report, visit https://www.gao.gov/cybersecurity.

Improve Implementation of Government-Wide Cybersecurity Initiatives

Federal law assigned five key cybersecurity responsibilities to the Cybersecurity and Infrastructure Security Agency (CISA), including securing federal information and systems, and coordinating federal efforts to secure and protect against critical infrastructure risk. To implement these responsibilities, CISA undertook an organizational transformation initiative aimed at unifying the agency, improving mission effectiveness, and enhancing the workplace experience. In March 2021, we reported that CISA had only completed 37 of 94 planned implementation tasks. Critical transformation tasks such as finalizing the mission-essential functions of CISA’s divisions and defining incident management roles and responsibilities across the agency had not yet been completed.

- We recommended that CISA establish expected completion dates, plans for developing performance measures, and an overall deadline for the completion of the transformation initiative, as well as develop a strategy for comprehensive workforce planning.

Address Weaknesses in Federal Agency Information Security Programs

To protect federal information and systems, the Federal Information Security Modernization Act of 2014 (FISMA) requires federal agencies to develop, document, and implement information security programs. Congress included a provision in FISMA for GAO to periodically report on agencies’ implementation of the act. In March 2022, we reported on the information security programs of 23 federal civilian agencies, including annually required program reviews to be conducted by agency inspectors general (IG). Among other things, we noted that IGs determined that 16 (or 70 percent) of the 23 agencies had ineffective programs for fiscal year 2020.

We found that OMB’s guidance to IGs on conducting agency evaluations was not always clear, leading to inconsistent application and reporting by IGs. Further, we reported that the binary effective/not effective scale resulted in imprecise ratings that did not clearly distinguish among the differing levels of agencies’ performance. By clarifying its guidance and enhancing its rating scale, OMB could help ensure more a more consistent approach and nuanced picture of agencies’ cybersecurity programs.

- GAO recommended that OMB, in consultation with others, clarify its guidance to IGs and create a more precise overall rating scale.

Enhance the Federal Response to Cyber Incidents

DOD and our nation's defense industrial base (DIB) are dependent on information systems to carry out their operations. These systems continue to be the target of cyberattacks, as demonstrated by over 12,000 cyber incidents DOD has experienced since 2015.

In November 2022, we reported DOD has taken steps to combat these attacks and the number of cyber incidents had declined in recent years. However, we found that the department (1) had not fully implemented its processes for managing cyber incidents, (2) did not have complete data on cyber incidents that staff report, and (3) did not document whether it notifies individuals whose personal data is compromised in a cyber incident.

In addition, according to officials, DOD has not yet decided whether DIB cyber incidents detected by cybersecurity service providers should be shared with all relevant stakeholders. Until DOD examines whether this information should be shared with all relevant parties, opportunities could be lost to identify system threats and improve system weaknesses.

- GAO recommended the Department of Defense improve the sharing of DIB-related cyber incident information and document when affected individuals are notified of a PII breach of their data.

Leave a comment , , ,

Critical Infrastructure: Actions Needed to Better Secure Internet-Connected Devices

Agency News, Cyber Security CII sector, Industry News, Power/Energy/Oil & Gas sector, Telecomms sector, Transport sector

The USA's 16 critical infrastructure sectors rely on internet-connected devices and systems to deliver essential services, such as electricity and health care. These sectors face increasing cybersecurity threats—an issue on our High Risk list.

Federal agencies that have leadership roles in 3 sectors we reviewed have taken some steps to manage the cybersecurity risks posed by internet-connected devices and systems. But they've not assessed risks to the sectors as a whole. Without a holistic assessment, the agencies can't know what additional cybersecurity protections might be needed.

Cyber threats to critical infrastructure IoT and OT represent a significant national security challenge. Recent incidents—such as the ransomware attacks targeting health care and essential services during the COVID-19 pandemic—illustrate the cyber threats facing the nation's critical infrastructure. Congress included provisions in the IoT Cybersecurity Improvement Act of 2020 for GAO to report on IoT and OT cybersecurity efforts.

This report (1) describes overall federal IoT and OT cybersecurity initiatives; (2) assesses actions of selected federal agencies with a lead sector responsibility for enhancing IoT and OT cybersecurity; and (3) identifies leading guidance for addressing IoT cybersecurity and determines the status of OMB's process for waiving cybersecurity requirements for IoT devices. To describe overall initiatives, GAO analyzed pertinent guidance and related documentation from several federal agencies.

To assess lead agency actions, GAO first identified the six critical infrastructure sectors considered to have the greatest risk of cyber compromise. From these six, GAO then selected for review three sectors that had extensive use of IoT and OT devices and systems. The three sectors were energy, healthcare and public health, and transportation systems. For each of these, GAO analyzed documentation, interviewed sector officials, and compared lead agency actions to federal requirements.

GAO also analyzed documentation, interviewed officials from the selected sectors, and compared those sector's cybersecurity efforts to federal requirements. GAO also interviewed OMB officials on the status of the mandated waiver process.

The nation's critical infrastructure sectors rely on electronic systems, including Internet of Things (IoT) and operational technology (OT) devices and systems. IoT generally refers to the technologies and devices that allow for the network connection and interaction of a wide array of “things,” throughout such places as buildings, transportation infrastructure, or homes. OT are programmable systems or devices that interact with the physical environment, such as building automation systems that control machines to regulate and monitor temperature.

Figure: Overview of Connected IT, Internet of Things (IoT), and Operational Technology

To help federal agencies and private entities manage the cybersecurity risks associated with IoT and OT, the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) and the National Institute of Standards and Technology (NIST) have issued guidance and provided resources. Specifically, CISA has published guidance, initiated programs, issued alerts and advisories on vulnerabilities affecting IoT and OT devices, and established working groups on OT. NIST has published several guidance documents on IoT and OT, maintained a center of cybersecurity excellence, and established numerous working groups. In addition, the Federal Acquisition Regulatory Council is considering updates to the Federal Acquisition Regulation to better manage IoT and OT cybersecurity risks.

Selected federal agencies with a lead role have reported various cybersecurity initiatives to help protect three critical infrastructure sectors with extensive use of IoT or OT devices and systems.

Title: Sector Lead Agencies' Internet of Things (IoT) or Operational Technology (OT) Cybersecurity Initiatives

Sector (Lead Federal Agency)

Examples of IoT or OT Initiatives

Energy (Department of Energy)

Considerations for OT Cybersecurity Monitoring Technologies guidance provides suggested evaluation considerations for technologies to monitor OT cybersecurity of systems that, for example, distribute electricity through the grid.

Cybersecurity for the Operational Technology Environment methodology aims to enhance energy sector threat detection of anomalous behavior in OT networks, such as electricity distribution networks.

Healthcare and public health (Department of Health and Human Services)

Pre-market Guidance for Management of Cybersecurity identifies issues related to cybersecurity for manufacturers to consider in the design and development of their medical devices, such as diagnostic equipment.

Post-market Management of Cybersecurity in Medical Devices provides recommendations for managing cybersecurity vulnerabilities for marketed and distributed medical devices, such as infusion pumps.

Transportation systems (Departments of Homeland Security and Transportation)

Surface Transportation Cybersecurity Toolkit is designed to provide informative cyber risk management tools and resources for control systems that, for example, function on the mechanics of the vessel.

Department of Homeland Security's Transportation Security Administration's Enhancing Rail Cybersecurity Directive requires actions, such as conducting a cybersecurity vulnerability assessment and developing of cybersecurity incident response plans for higher risk railroads.

Source: GAO analysis of agency documentation │ GAO-23-105327

However, none of the selected lead agencies had developed metrics to assess the effectiveness of their efforts. Further, the agencies had not conducted IoT and OT cybersecurity risk assessments. Both of these activities are best practices. Lead agency officials noted difficulty assessing program effectiveness when relying on voluntary information from sector entities. Nevertheless, without attempts to measure effectiveness and assess risks of IoT and OT, the success of initiatives intended to mitigate risks is unknown.

The Internet of Things Cybersecurity Improvement Act of 2020 generally prohibits agencies from procuring or using an IoT device after December 4, 2022, if that device is considered non-compliant with NIST-developed standards. Pursuant to the act, in June 2021 NIST issued a draft guidance document that, among other things, provides information for agencies, companies and industry to receive reported vulnerabilities and for organizations to report found vulnerabilities. The act also requires the Office of Management and Budget (OMB) to establish a standardized process for federal agencies to waive the prohibition on procuring or using non-compliant IoT devices if waiver criteria detailed in the act are met.

As of November 22, 2022, OMB had not yet developed the mandated process for waiving the prohibition on procuring or using non-compliant IoT devices. OMB officials noted that the waiver process requires coordination and data gathering with other entities. According to OMB, it is targeting November 2022 for the release of guidance on the waiver process. Given the act's restrictions on agency use of non-compliant IoT devices beginning in December 2022, the lack of a uniform waiver process could result in a range of inconsistent actions across agencies.

Leave a comment , , ,

DOD Cybersecurity: Enhanced Attention Needed to Ensure Cyber Incidents Are Appropriately Reported and Shared

Agency News, Cyber Security CII sector, Industry News

DOD and DIB information technology systems continue to be susceptible to cyber incidents as cybersecurity threats have evolved and become more sophisticated. Federal laws and DOD guidance emphasize the importance of properly reporting and sharing cyber incident information, as both are vital to identifying system weaknesses and improving the security of the systems.

House Report 116-442 included a provision for GAO to review DOD's cyber incident management. This report examines the extent to which DOD established and implemented a process to (1) report and notify leadership of cyber incidents, (2) report and share information about cyber incidents affecting the DIB, and (3) notify affected individuals of a PII breach.

To conduct this work, GAO reviewed relevant guidance, analyzed samples of cyber incident artifacts and cyber incident reports submitted by the DIB and privacy data breaches reported by DOD, and surveyed 24 DOD cyber security service providers. In addition, GAO interviewed officials from DOD and cyber security service providers and convened two discussion groups with DIB companies.

Cyber attacks threaten national security—but hackers continue to target DOD as well as private companies and others involved in the nation's military operations.

DOD has taken steps to combat these attacks and has reduced the number of cyber incidents in recent years. But we found that DOD:
- Hasn't fully implemented its processes for managing cyber incidents
- Doesn't have complete data on cyber incidents that staff report
- Doesn't document whether it notifies individuals whose personal data is compromised in a cyber incident

What GAO Found

The Department of Defense (DOD) and our nation's defense industrial base (DIB)—which includes entities outside the federal government that provide goods or services critical to meeting U.S. military requirements—are dependent on information systems to carry out their operations. These systems continue to be the target of cyber attacks, as DOD has experienced over 12,000 cyber incidents since 2015 (see figure).To combat these incidents, DOD has established two processes for managing cyber incidents—one for all incidents and one for critical incidents. However, DOD has not fully implemented either of these processes.

Despite the reduction in the number of incidents due to DOD efforts, weaknesses in reporting these incidents remain. For example, DOD's system for reporting all incidents often contained incomplete information and DOD could not always demonstrate that they had notified appropriate leadership of relevant critical incidents. The weaknesses in the implementation of the two processes are due to DOD not assigning an organization responsible for ensuring proper incident reporting and compliance with guidance, among other reasons. Until DOD assigns such responsibility, DOD does not have assurance that its leadership has an accurate picture of the department's cybersecurity posture.

In addition, DOD has not yet decided whether DIB cyber incidents detected by cybersecurity service providers should be shared with all relevant stakeholders, according to officials. DOD guidance states that to protect the interests of national security, cyber incidents must be coordinated among and across DOD organizations and outside sources, such as DIB partners. Until DOD examines whether this information should be shared with all relevant parties, there could be lost opportunities to identify system threats and improve system weaknesses.

DOD has established a process for determining whether to notify individuals of a breach of their personally identifiable information (PII). This process includes conducting a risk assessment that considers three factors—the nature and sensitivity of the PII, likelihood of access to and use of the PII, and the type of the breach. However, DOD has not consistently documented the notifications of affected individuals, because officials said notifications are often made verbally or by email and no record is retained. Without documenting the notification, DOD cannot verify that people were informed about the breach.

GAO is making six recommendations, including that DOD assign responsibility for ensuring proper incident reporting, improve the sharing of DIB-related cyber incident information, and document when affected individuals are notified of a PII breach. DOD concurred with the recommendations.

Leave a comment , , ,

Defense Industrial Base: DOD Should Take Actions to Strengthen Its Risk Mitigation Approach

Agency News, Industry News

A healthy defense industrial base that provides the capacity and capability to produce advanced weapon systems is critical to maintaining U.S. national security objectives. The U.S. industrial base currently consists of over 200,000 companies. Mitigating risks—such as reliance on foreign and single-source suppliers—is essential for DOD to avoid supply disruptions and ensure that the industrial base can meet current and future needs.

Since 2017, the White House has issued executive orders directing DOD and other agencies to assess risks to the defense industrial base and high priority supply chains such as semiconductors.

Congress also directed DOD to develop an analytical framework for mitigating risks and included a provision for GAO to review DOD's efforts. This report assesses (1) DOD's strategy for mitigating industrial base risks, and (2) the extent to which DOD is monitoring and reporting on its progress in mitigating risks. GAO analyzed DOD policies and reports and interviewed DOD officials.

More than 200,000 companies provide supplies, parts, and manufacturing for DOD's weapon systems. Risks to this defense industrial base include materials shortages, reliance on foreign suppliers, and more.

Various DOD offices and the military services monitor such risks and work to mitigate them. However, DOD doesn't have a robust strategy to mitigate risks or track progress department-wide.

Visibility over its department-wide efforts could help DOD determine whether the billions of dollars being spent are paying off. We recommended developing a robust strategy and measuring and reporting on DOD-wide industrial base risk mitigation efforts.

The Department of Defense's (DOD) Industrial Base Policy office does not yet have a consolidated and comprehensive strategy to mitigate risks to the industrial base—the companies that develop and manufacture technologies and weapon systems for DOD. The office is using a combination of four previously issued reports that were created for other requirements because it devoted its resources to completing other priorities. Collectively, the reports do not include several elements GAO has previously identified that would help DOD achieve results, evaluate progress, and ensure accountability.

DOD must update its industrial base strategy following the submission of the next National Security Strategy Report, which is expected to be issued later in 2022. By including all elements in a consolidated strategy, DOD could better ensure that all appropriate organizations are working toward the same priorities, promoting supply chain resiliency, and supporting national security objectives.

DOD is carrying out numerous efforts to mitigate risks to the industrial base. This includes more than $1 billion in reported efforts under Navy submarine and destroyer programs and $125 million to sustain a domestic microelectronics manufacturer. However, DOD has limited insight into the effectiveness of these efforts and how much progress it has made addressing risks. For example:

- The Industrial Base Policy office and military services have not established enterprise-wide performance measures to monitor the aggregate effectiveness of DOD's mitigation efforts.
- DOD's annual Industrial Capabilities Reports do not include information about the progress the department has made in mitigating risks.

GAO's prior work on enterprise risk management establishes that agencies should monitor and report on the status and effectiveness of their risk mitigation efforts. Without key monitoring and reporting information, DOD and Congress do not have sufficient information to help determine whether industrial base risks have been mitigated and what additional resources or actions may be needed.

GAO is making six recommendations, including that DOD develop a consolidated and comprehensive strategy to mitigate industrial base risks; develop and use enterprise-wide performance measures to monitor the aggregate effectiveness of its efforts; and report on its progress in mitigating risks. DOD generally concurred with the recommendations and identified some actions to address them.

Leave a comment , , ,

Enforcement Agencies Should Better Leverage Information to Target Efforts Involving U.S. Universities

Agency News, Industry News, University/Research/Academia sector

Over 2 million foreign students and scholars studied at U.S. universities in 2019, in many cases contributing to U.S. research. The U.S. government implements export controls to, among other things, mitigate the risk of foreign students' and scholars' obtaining controlled and sensitive information that could benefit foreign adversaries.

GAO was asked to review agencies' efforts to address risks associated with foreign students and scholars who may seek to evade export control regulations. This report examines the extent to which agencies are assessing universities' risk of unauthorized deemed exports to prioritize outreach.

GAO reviewed related laws and regulations; analyzed agency data; and interviewed agency officials in Washington, D.C., and 15 U.S. field offices. GAO based its selection of these offices on their proximity to research universities, their geographic dispersion, and other agencies' field office locations.

This is a public version of a sensitive report issued in March 2022 that included additional information on (1) challenges agencies face in efforts to enforce export control regulations, particularly for deemed exports at universities, and (2) the extent to which agencies coordinate their efforts and share information. Information that agencies deemed sensitive has been removed.

According to U.S. government agencies, foreign entities are targeting sensitive research conducted by U.S. universities and other institutions. Releases or other transfers of certain sensitive information to foreign persons in the United States are subject to U.S. export control regulations. Such releases or transfers, which are considered to be exports, are commonly referred to as deemed exports. A U.S. Assistant Secretary of State wrote in 2020 that greater attention needed to be paid to deemed exports. He noted that these transfers, including the “know how” of cutting-edge science and its applications, are what China's military–civil fusion strategy seeks in its attempts to mine and exploit U.S. academia's open knowledge system.

Agencies involved in enforcing export control regulations—the Departments of Commerce and Homeland Security (DHS) and the Federal Bureau of Investigation (FBI)—conduct outreach to universities to strengthen efforts to prevent sensitive technology transfers, including unauthorized deemed exports. According to officials, outreach increases awareness of threats to research security and builds stronger two-way relationships with university officials. The agencies identified this outreach as a key enforcement mechanism.

However, additional information about universities' risks could enhance the agencies' outreach efforts. For example, Commerce does not base its outreach on analysis of universities' risk levels and has not identified any risk factors to guide its outreach priorities. DHS has ranked roughly 150 U.S. universities for outreach, and FBI provides information to all of its field offices to guide their outreach priorities; however, both agencies base these efforts on only one risk factor. Identifying and analyzing any additional relevant risk factors could provide a more complete understanding of universities' risk levels and could further inform Commerce's, DHS's, and FBI's efforts to target limited resources for outreach to at-risk universities.

Leave a comment , ,

DOD Needs to Improve Performance Reporting and Cybersecurity and Supply Chain Planning

Agency News, Cyber Security CII sector, Industry News

For fiscal year 2022, DOD requested approximately $38.6 billion for its unclassified IT investments. These investments included programs such as communications and command and control systems. They also included major IT business programs, which are intended to help the department carry out key functions, such as financial management and health care.

The NDAA for FY 2019 included a provision for GAO to assess selected DOD IT programs annually through March 2023. GAO's objectives for this review were to (1) examine how DOD's portfolio of major IT acquisition business programs has performed; (2) determine the extent to which the department has implemented software development, cybersecurity, and supply chain risk management practices; and (3) describe actions DOD has taken to implement legislative and policy changes that could affect its IT acquisitions.

To address these objectives, GAO determined that DOD's major IT business programs were the 25 that DOD reported to the federal IT Dashboard as of December 2021 (The IT Dashboard is a public website that includes information on the performance of IT investments). GAO examined DOD's planned expenditures for these programs from fiscal years 2020 through 2022, as reported in the department's FY 2022 submission to the Dashboard.

GAO obtained the programs' operational performance data from the Dashboard and compared the data to OMB guidance. It also met with DOD CIO officials to determine reasons why programs were not reporting data in accordance with guidance.

In addition, GAO aggregated program office responses to a GAO questionnaire that requested information about cost and schedule changes that the programs experienced since January 2020.

GAO also aggregated DOD program office responses to the questionnaire that requested information about software development, cybersecurity, and supply chain risk management plans and practices. GAO compared the responses to relevant guidance and leading practices.

Further, GAO reviewed actions DOD has taken to implement its plans for addressing previously identified legislative and policy changes that could affect its IT acquisitions. This included reviewing information associated with the department's efforts to (1) finalize strategies for its business system and software acquisition pathways; (2) implement modern approaches to software development such as transitioning to Agile; and (3) reorganize the responsibilities of the former Chief Management Officer throughout the department. GAO met with relevant DOD officials to discuss each of the topics addressed in this report.

According to the Department of Defense's (DOD) fiscal year (FY) 2022 submission to the federal IT Dashboard, DOD planned to spend $8.8 billion on its portfolio of 25 major IT business programs between FY 2020 and 2022. In addition, 18 of the 25 programs reported experiencing cost or schedule changes since January 2020. Of these programs, 14 reported the extent to which program costs and schedules had changed, noting cost increases ranging from $0.1 million to $10.7 billion and schedule delays ranging from 5 to 19 months. Program officials attributed the changes to various factors, including requirement changes or delays, contract developments, and technical complexities.

Programs also reported operational performance data to the federal IT Dashboard. As of December 2021, the 25 programs collectively identified 172 operational performance metrics consistent with Office of Management and Budget (OMB) guidance. These metrics covered a range of performance indicators such as the timeliness of program deliverables and the percentage of time that systems were available to users. However, programs only reported progress on 77 of the 172 operational performance targets.

Nineteen programs did not fully report progress on their operational performance. Officials from the Office of the DOD CIO stated that programs that have operational performance measures should be reporting them to the Dashboard. They added that there were multiple factors that could have led to programs not reporting the metrics, including a reorganization that shifted responsibilities for IT investment management and confusion about the reporting requirement. Nevertheless, by reporting incomplete performance data, DOD limits Congress' and the public's understanding of how programs are performing.

As of February 2022, DOD program officials from all 11 (of the 25) major IT business programs that we considered to be actively developing new software functionality reported using recommended iterative development practices that can limit risks of adverse cost and schedule outcomes. Officials from eight of the 11 programs reported using Agile software development, which can support continuous iterative software development. Officials for five of the programs also reported delivering software functionality every 6 months or less, as called for in OMB guidance. Officials for three programs reported a frequency greater than 6 months and officials from the remaining three did not indicate a frequency.

In addition, as of February 2022, officials from the 25 major IT business programs reported on whether they had an approved cybersecurity strategy as required by DOD.

Officials from DOD CIO stated that they will follow up with the programs that did not provide an approved cybersecurity strategy. Until DOD ensures that these programs develop strategies, programs lack assuance that they are effectively positioned to manage cybersecurity risks and mitigate threats.

Officials from the 25 programs also reported on whether they had a system security plan that addresses information and communications technology (ICT) supply chain risk management, as called for by leading practices.

DOD guidance does not require programs to address ICT supply chain risk management in security plans. According to officials from DOD CIO, IT programs might address supply chain risk management in program protection plans. In addition, they noted that recent supply chain efforts have been focused on weapons systems. However, 15 of DOD's major IT programs did not demonstrate that they had a supply chain risk management plan. Until DOD ensures that these programs have such plans, they are less likely to be able to manage supply chain risks and mitigate threats that could disrupt operations.

Regarding actions to implement legislative and policy changes, the National Defense Authorization Act (NDAA) for FY 2021 eliminated the DOD chief management officer (CMO) position. This position previously had broad oversight responsibilities for DOD business systems. In September 2021, the Deputy Secretary of Defense directed a broad realignment of the responsibilities previously assigned to the CMO. GAO will continue to monitor DOD's efforts to redistribute the roles and responsibilities formerly assigned to the CMO.

Leave a comment , , ,

Information Technologies for Managing Federal Use

Agency News, Industry News, Transport sector

Radio-frequency spectrum is a scarce natural resource vital to many commercial and government activities, including weather observation, air traffic control, and national defense. NTIA and government agencies have a responsibility to manage their spectrum use wisely. To do so, agencies rely on different spectrum-related IT, but NTIA has recently highlighted that existing IT is out-of-date and hinders spectrum management.

Federal officials said modernization of spectrum-related federal IT could provide benefits such as greater sharing of the limited spectrum and improved efficiency. For example, the current process for assigning spectrum relies on manual reviews of frequency requests and manual input of data. Automation could reduce errors and speed the process.

The FY21 NDAA contains a provision for GAO to review the current spectrum-related IT of covered agencies. This report describes (1) the existing spectrum-related IT that covered agencies employ to manage their spectrum use, and (2) the opportunities covered agencies and NTIA identified for improving spectrum management through IT modernization. The FY21 NDAA also contains a provision for GAO to conduct oversight of the implementation of agencies' spectrum-related IT modernization plans. This topic will be the subject of future GAO work.

Federal agencies use a variety of information technologies (IT) to manage their use of radio-frequency spectrum. The William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021 (FY21 NDAA) required the National Telecommunications and Information Administration (NTIA) and covered agencies to develop plans to modernize their spectrum-related IT (i.e., the software, databases, and other tools that comprise their spectrum infrastructure).

Currently, the NTIA provides agencies with some spectrum-related IT systems, such as software, databases, and engineering tools, so that they can participate in NTIA's spectrum management processes. These processes include assigning frequencies for agencies to use and certifying spectrum-dependent equipment. GAO found that all 20 agencies covered by the FY21 NDAA modernization requirement rely at least in part on NTIA-provided IT to manage their spectrum use. Additionally, most of these agencies—DOD and the Federal Aviation Administration, in particular—augment NTIA-provided IT with additional spectrum-related IT that meets their unique mission needs.

Many of the officials GAO interviewed broadly agreed that modernizing spectrum-related IT could provide opportunities to improve spectrum management, mostly related to the following: (1) improving current spectrum management processes by addressing some limitations in existing spectrum-related IT and (2) facilitating the potential for greater spectrum sharing (i.e., enabling more than one spectrum user to use the same frequency band without interfering with each another). As NTIA and the covered agencies advance their modernization efforts in 2022, it is not yet clear if their plans will target these opportunities.

 

Leave a comment , ,
1 2