DOD Cybersecurity: Enhanced Attention Needed to Ensure Cyber Incidents Are Appropriately Reported and Shared

DOD and DIB information technology systems continue to be susceptible to cyber incidents as cybersecurity threats have evolved and become more sophisticated. Federal laws and DOD guidance emphasize the importance of properly reporting and sharing cyber incident information, as both are vital to identifying system weaknesses and improving the security of the systems.

House Report 116-442 included a provision for GAO to review DOD's cyber incident management. This report examines the extent to which DOD established and implemented a process to (1) report and notify leadership of cyber incidents, (2) report and share information about cyber incidents affecting the DIB, and (3) notify affected individuals of a PII breach.

To conduct this work, GAO reviewed relevant guidance, analyzed samples of cyber incident artifacts and cyber incident reports submitted by the DIB and privacy data breaches reported by DOD, and surveyed 24 DOD cyber security service providers. In addition, GAO interviewed officials from DOD and cyber security service providers and convened two discussion groups with DIB companies.

Cyber attacks threaten national security—but hackers continue to target DOD as well as private companies and others involved in the nation's military operations.

DOD has taken steps to combat these attacks and has reduced the number of cyber incidents in recent years. But we found that DOD:
- Hasn't fully implemented its processes for managing cyber incidents
- Doesn't have complete data on cyber incidents that staff report
- Doesn't document whether it notifies individuals whose personal data is compromised in a cyber incident

What GAO Found

The Department of Defense (DOD) and our nation's defense industrial base (DIB)—which includes entities outside the federal government that provide goods or services critical to meeting U.S. military requirements—are dependent on information systems to carry out their operations. These systems continue to be the target of cyber attacks, as DOD has experienced over 12,000 cyber incidents since 2015 (see figure).To combat these incidents, DOD has established two processes for managing cyber incidents—one for all incidents and one for critical incidents. However, DOD has not fully implemented either of these processes.

Despite the reduction in the number of incidents due to DOD efforts, weaknesses in reporting these incidents remain. For example, DOD's system for reporting all incidents often contained incomplete information and DOD could not always demonstrate that they had notified appropriate leadership of relevant critical incidents. The weaknesses in the implementation of the two processes are due to DOD not assigning an organization responsible for ensuring proper incident reporting and compliance with guidance, among other reasons. Until DOD assigns such responsibility, DOD does not have assurance that its leadership has an accurate picture of the department's cybersecurity posture.

In addition, DOD has not yet decided whether DIB cyber incidents detected by cybersecurity service providers should be shared with all relevant stakeholders, according to officials. DOD guidance states that to protect the interests of national security, cyber incidents must be coordinated among and across DOD organizations and outside sources, such as DIB partners. Until DOD examines whether this information should be shared with all relevant parties, there could be lost opportunities to identify system threats and improve system weaknesses.

DOD has established a process for determining whether to notify individuals of a breach of their personally identifiable information (PII). This process includes conducting a risk assessment that considers three factors—the nature and sensitivity of the PII, likelihood of access to and use of the PII, and the type of the breach. However, DOD has not consistently documented the notifications of affected individuals, because officials said notifications are often made verbally or by email and no record is retained. Without documenting the notification, DOD cannot verify that people were informed about the breach.

GAO is making six recommendations, including that DOD assign responsibility for ensuring proper incident reporting, improve the sharing of DIB-related cyber incident information, and document when affected individuals are notified of a PII breach. DOD concurred with the recommendations.

Defense Industrial Base: DOD Should Take Actions to Strengthen Its Risk Mitigation Approach

A healthy defense industrial base that provides the capacity and capability to produce advanced weapon systems is critical to maintaining U.S. national security objectives. The U.S. industrial base currently consists of over 200,000 companies. Mitigating risks—such as reliance on foreign and single-source suppliers—is essential for DOD to avoid supply disruptions and ensure that the industrial base can meet current and future needs.

Since 2017, the White House has issued executive orders directing DOD and other agencies to assess risks to the defense industrial base and high priority supply chains such as semiconductors.

Congress also directed DOD to develop an analytical framework for mitigating risks and included a provision for GAO to review DOD's efforts. This report assesses (1) DOD's strategy for mitigating industrial base risks, and (2) the extent to which DOD is monitoring and reporting on its progress in mitigating risks. GAO analyzed DOD policies and reports and interviewed DOD officials.

More than 200,000 companies provide supplies, parts, and manufacturing for DOD's weapon systems. Risks to this defense industrial base include materials shortages, reliance on foreign suppliers, and more.

Various DOD offices and the military services monitor such risks and work to mitigate them. However, DOD doesn't have a robust strategy to mitigate risks or track progress department-wide.

Visibility over its department-wide efforts could help DOD determine whether the billions of dollars being spent are paying off. We recommended developing a robust strategy and measuring and reporting on DOD-wide industrial base risk mitigation efforts.

The Department of Defense's (DOD) Industrial Base Policy office does not yet have a consolidated and comprehensive strategy to mitigate risks to the industrial base—the companies that develop and manufacture technologies and weapon systems for DOD. The office is using a combination of four previously issued reports that were created for other requirements because it devoted its resources to completing other priorities. Collectively, the reports do not include several elements GAO has previously identified that would help DOD achieve results, evaluate progress, and ensure accountability.

DOD must update its industrial base strategy following the submission of the next National Security Strategy Report, which is expected to be issued later in 2022. By including all elements in a consolidated strategy, DOD could better ensure that all appropriate organizations are working toward the same priorities, promoting supply chain resiliency, and supporting national security objectives.

DOD is carrying out numerous efforts to mitigate risks to the industrial base. This includes more than $1 billion in reported efforts under Navy submarine and destroyer programs and $125 million to sustain a domestic microelectronics manufacturer. However, DOD has limited insight into the effectiveness of these efforts and how much progress it has made addressing risks. For example:

- The Industrial Base Policy office and military services have not established enterprise-wide performance measures to monitor the aggregate effectiveness of DOD's mitigation efforts.
- DOD's annual Industrial Capabilities Reports do not include information about the progress the department has made in mitigating risks.

GAO's prior work on enterprise risk management establishes that agencies should monitor and report on the status and effectiveness of their risk mitigation efforts. Without key monitoring and reporting information, DOD and Congress do not have sufficient information to help determine whether industrial base risks have been mitigated and what additional resources or actions may be needed.

GAO is making six recommendations, including that DOD develop a consolidated and comprehensive strategy to mitigate industrial base risks; develop and use enterprise-wide performance measures to monitor the aggregate effectiveness of its efforts; and report on its progress in mitigating risks. DOD generally concurred with the recommendations and identified some actions to address them.

Enforcement Agencies Should Better Leverage Information to Target Efforts Involving U.S. Universities

Over 2 million foreign students and scholars studied at U.S. universities in 2019, in many cases contributing to U.S. research. The U.S. government implements export controls to, among other things, mitigate the risk of foreign students' and scholars' obtaining controlled and sensitive information that could benefit foreign adversaries.

GAO was asked to review agencies' efforts to address risks associated with foreign students and scholars who may seek to evade export control regulations. This report examines the extent to which agencies are assessing universities' risk of unauthorized deemed exports to prioritize outreach.

GAO reviewed related laws and regulations; analyzed agency data; and interviewed agency officials in Washington, D.C., and 15 U.S. field offices. GAO based its selection of these offices on their proximity to research universities, their geographic dispersion, and other agencies' field office locations.

This is a public version of a sensitive report issued in March 2022 that included additional information on (1) challenges agencies face in efforts to enforce export control regulations, particularly for deemed exports at universities, and (2) the extent to which agencies coordinate their efforts and share information. Information that agencies deemed sensitive has been removed.

According to U.S. government agencies, foreign entities are targeting sensitive research conducted by U.S. universities and other institutions. Releases or other transfers of certain sensitive information to foreign persons in the United States are subject to U.S. export control regulations. Such releases or transfers, which are considered to be exports, are commonly referred to as deemed exports. A U.S. Assistant Secretary of State wrote in 2020 that greater attention needed to be paid to deemed exports. He noted that these transfers, including the “know how” of cutting-edge science and its applications, are what China's military–civil fusion strategy seeks in its attempts to mine and exploit U.S. academia's open knowledge system.

Agencies involved in enforcing export control regulations—the Departments of Commerce and Homeland Security (DHS) and the Federal Bureau of Investigation (FBI)—conduct outreach to universities to strengthen efforts to prevent sensitive technology transfers, including unauthorized deemed exports. According to officials, outreach increases awareness of threats to research security and builds stronger two-way relationships with university officials. The agencies identified this outreach as a key enforcement mechanism.

However, additional information about universities' risks could enhance the agencies' outreach efforts. For example, Commerce does not base its outreach on analysis of universities' risk levels and has not identified any risk factors to guide its outreach priorities. DHS has ranked roughly 150 U.S. universities for outreach, and FBI provides information to all of its field offices to guide their outreach priorities; however, both agencies base these efforts on only one risk factor. Identifying and analyzing any additional relevant risk factors could provide a more complete understanding of universities' risk levels and could further inform Commerce's, DHS's, and FBI's efforts to target limited resources for outreach to at-risk universities.

DOD Needs to Improve Performance Reporting and Cybersecurity and Supply Chain Planning

For fiscal year 2022, DOD requested approximately $38.6 billion for its unclassified IT investments. These investments included programs such as communications and command and control systems. They also included major IT business programs, which are intended to help the department carry out key functions, such as financial management and health care.

The NDAA for FY 2019 included a provision for GAO to assess selected DOD IT programs annually through March 2023. GAO's objectives for this review were to (1) examine how DOD's portfolio of major IT acquisition business programs has performed; (2) determine the extent to which the department has implemented software development, cybersecurity, and supply chain risk management practices; and (3) describe actions DOD has taken to implement legislative and policy changes that could affect its IT acquisitions.

To address these objectives, GAO determined that DOD's major IT business programs were the 25 that DOD reported to the federal IT Dashboard as of December 2021 (The IT Dashboard is a public website that includes information on the performance of IT investments). GAO examined DOD's planned expenditures for these programs from fiscal years 2020 through 2022, as reported in the department's FY 2022 submission to the Dashboard.

GAO obtained the programs' operational performance data from the Dashboard and compared the data to OMB guidance. It also met with DOD CIO officials to determine reasons why programs were not reporting data in accordance with guidance.

In addition, GAO aggregated program office responses to a GAO questionnaire that requested information about cost and schedule changes that the programs experienced since January 2020.

GAO also aggregated DOD program office responses to the questionnaire that requested information about software development, cybersecurity, and supply chain risk management plans and practices. GAO compared the responses to relevant guidance and leading practices.

Further, GAO reviewed actions DOD has taken to implement its plans for addressing previously identified legislative and policy changes that could affect its IT acquisitions. This included reviewing information associated with the department's efforts to (1) finalize strategies for its business system and software acquisition pathways; (2) implement modern approaches to software development such as transitioning to Agile; and (3) reorganize the responsibilities of the former Chief Management Officer throughout the department. GAO met with relevant DOD officials to discuss each of the topics addressed in this report.

According to the Department of Defense's (DOD) fiscal year (FY) 2022 submission to the federal IT Dashboard, DOD planned to spend $8.8 billion on its portfolio of 25 major IT business programs between FY 2020 and 2022. In addition, 18 of the 25 programs reported experiencing cost or schedule changes since January 2020. Of these programs, 14 reported the extent to which program costs and schedules had changed, noting cost increases ranging from $0.1 million to $10.7 billion and schedule delays ranging from 5 to 19 months. Program officials attributed the changes to various factors, including requirement changes or delays, contract developments, and technical complexities.

Programs also reported operational performance data to the federal IT Dashboard. As of December 2021, the 25 programs collectively identified 172 operational performance metrics consistent with Office of Management and Budget (OMB) guidance. These metrics covered a range of performance indicators such as the timeliness of program deliverables and the percentage of time that systems were available to users. However, programs only reported progress on 77 of the 172 operational performance targets.

Nineteen programs did not fully report progress on their operational performance. Officials from the Office of the DOD CIO stated that programs that have operational performance measures should be reporting them to the Dashboard. They added that there were multiple factors that could have led to programs not reporting the metrics, including a reorganization that shifted responsibilities for IT investment management and confusion about the reporting requirement. Nevertheless, by reporting incomplete performance data, DOD limits Congress' and the public's understanding of how programs are performing.

As of February 2022, DOD program officials from all 11 (of the 25) major IT business programs that we considered to be actively developing new software functionality reported using recommended iterative development practices that can limit risks of adverse cost and schedule outcomes. Officials from eight of the 11 programs reported using Agile software development, which can support continuous iterative software development. Officials for five of the programs also reported delivering software functionality every 6 months or less, as called for in OMB guidance. Officials for three programs reported a frequency greater than 6 months and officials from the remaining three did not indicate a frequency.

In addition, as of February 2022, officials from the 25 major IT business programs reported on whether they had an approved cybersecurity strategy as required by DOD.

Officials from DOD CIO stated that they will follow up with the programs that did not provide an approved cybersecurity strategy. Until DOD ensures that these programs develop strategies, programs lack assuance that they are effectively positioned to manage cybersecurity risks and mitigate threats.

Officials from the 25 programs also reported on whether they had a system security plan that addresses information and communications technology (ICT) supply chain risk management, as called for by leading practices.

DOD guidance does not require programs to address ICT supply chain risk management in security plans. According to officials from DOD CIO, IT programs might address supply chain risk management in program protection plans. In addition, they noted that recent supply chain efforts have been focused on weapons systems. However, 15 of DOD's major IT programs did not demonstrate that they had a supply chain risk management plan. Until DOD ensures that these programs have such plans, they are less likely to be able to manage supply chain risks and mitigate threats that could disrupt operations.

Regarding actions to implement legislative and policy changes, the National Defense Authorization Act (NDAA) for FY 2021 eliminated the DOD chief management officer (CMO) position. This position previously had broad oversight responsibilities for DOD business systems. In September 2021, the Deputy Secretary of Defense directed a broad realignment of the responsibilities previously assigned to the CMO. GAO will continue to monitor DOD's efforts to redistribute the roles and responsibilities formerly assigned to the CMO.

Information Technologies for Managing Federal Use

Radio-frequency spectrum is a scarce natural resource vital to many commercial and government activities, including weather observation, air traffic control, and national defense. NTIA and government agencies have a responsibility to manage their spectrum use wisely. To do so, agencies rely on different spectrum-related IT, but NTIA has recently highlighted that existing IT is out-of-date and hinders spectrum management.

Federal officials said modernization of spectrum-related federal IT could provide benefits such as greater sharing of the limited spectrum and improved efficiency. For example, the current process for assigning spectrum relies on manual reviews of frequency requests and manual input of data. Automation could reduce errors and speed the process.

The FY21 NDAA contains a provision for GAO to review the current spectrum-related IT of covered agencies. This report describes (1) the existing spectrum-related IT that covered agencies employ to manage their spectrum use, and (2) the opportunities covered agencies and NTIA identified for improving spectrum management through IT modernization. The FY21 NDAA also contains a provision for GAO to conduct oversight of the implementation of agencies' spectrum-related IT modernization plans. This topic will be the subject of future GAO work.

Federal agencies use a variety of information technologies (IT) to manage their use of radio-frequency spectrum. The William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021 (FY21 NDAA) required the National Telecommunications and Information Administration (NTIA) and covered agencies to develop plans to modernize their spectrum-related IT (i.e., the software, databases, and other tools that comprise their spectrum infrastructure).

Currently, the NTIA provides agencies with some spectrum-related IT systems, such as software, databases, and engineering tools, so that they can participate in NTIA's spectrum management processes. These processes include assigning frequencies for agencies to use and certifying spectrum-dependent equipment. GAO found that all 20 agencies covered by the FY21 NDAA modernization requirement rely at least in part on NTIA-provided IT to manage their spectrum use. Additionally, most of these agencies—DOD and the Federal Aviation Administration, in particular—augment NTIA-provided IT with additional spectrum-related IT that meets their unique mission needs.

Many of the officials GAO interviewed broadly agreed that modernizing spectrum-related IT could provide opportunities to improve spectrum management, mostly related to the following: (1) improving current spectrum management processes by addressing some limitations in existing spectrum-related IT and (2) facilitating the potential for greater spectrum sharing (i.e., enabling more than one spectrum user to use the same frequency band without interfering with each another). As NTIA and the covered agencies advance their modernization efforts in 2022, it is not yet clear if their plans will target these opportunities.


Pipeline Safety: Manufacturing Defects in Pipeline Components Rarely Contribute to Accidents

Almost 350,000 miles of interstate gas and hazardous liquid transmission pipelines transport products across the U.S. The quality of individual components used in constructing these pipelines is critical to protect life, property, and the environment.

The GAO reviewed data on the quality of fittings, flanges, and valves on interstate transmission pipelines, and found that manufacturing defects rarely contribute to accidents. For instance, such defects contributed to less than 2% of all accidents between 2016-2020. They caused zero deaths or hospitalizations, and spilled fewer gallons of hazardous liquid (on average) than other types of accidents.

Manufacturing defects involving certain pipelines components—specifically fittings, flanges, and valves—accounted for less than 2 percent (23 of 1,529) of all accidents on gas and hazardous liquid interstate transmission pipelines from 2016 through 2020, according to GAO's analysis of Pipeline and Hazardous Materials Safety Administration (PHMSA) data. During this period, none of the reported 10 fatalities or 24 injuries requiring in-patient hospitalizations were related to accidents involving such defects. The amount of product released was also lower than average for all accidents that GAO reviewed. For example, accidents involving manufacturing defects in these pipeline components resulted in the spillage of 69 barrels of hazardous liquid on average, compared to an average release of 242 barrels for all accidents. Many selected stakeholders GAO interviewed also said that manufacturing defects in pipeline components rarely contribute to accidents.

All selected operators GAO interviewed described taking a number of steps to design, inspect, and test pipeline components to ensure quality prior to placing the components into service. Many of these selected operators described taking steps above PHMSA's minimum safety standards. For example, some operators described conducting inspections of manufacturers' processes or requiring manufacturers to maintain voluntary management and design certifications. According to these selected operators, these actions help ensure that manufacturers have the skills and expertise to construct high-quality pipeline components. While selected operators generally did not describe additional testing steps, many of these operators and other stakeholders agreed that defects are often identified during the testing of components. Specifically, PHMSA generally requires that operators conduct a hydrostatic test—whereby the pipeline is pressurized to a level above the normal operating pressure—to ensure the integrity of the pipe and components prior to the pipeline being placed in service.

The U.S. pipeline network includes almost 350,000 miles of interstate gas and hazardous liquid transmission pipelines that operate at high pressures and transport products across the country. The integrity of individual components used in constructing these pipelines is critical to protect life, property, and the environment. These components include fittings to accommodate changes in terrain or direction of the pipe; flanges to connect pipes and other equipment together; and valves to help control the flow and pressure of product in the pipe.

Within the U.S. Department of Transportation, PHMSA sets and enforces the federal minimum pipeline safety standards for pipelines and pipeline facilities, including for the design and manufacture of components. The minimum safety standards apply to owners and operators of pipeline facilities rather than the manufacturers of components.

Due to potential concerns about the manufacturing process for pipeline components, GAO was asked to review the quality of fittings, flanges, and valves on interstate transmission pipelines. This report describes: (1) the extent to which manufacturing defects in pipeline components have contributed to accidents from 2016 through 2020, and (2) the actions selected pipeline operators have taken to ensure the quality of components manufactured for their pipelines.

GAO analyzed PHMSA's accident data on interstate transmission pipelines for gas and hazardous liquid—including number, item involved, cause, related fatalities and injuries, and amount of product released—from 2016 through 2020, the most recent 5-year period for which data were available. GAO assessed the reliability of the data by reviewing PHMSA reports and interviewing PHMSA officials, among other things, and found the data to be sufficiently reliable to describe the frequency in which manufacturing defects contributed to reportable pipeline accidents.

GAO also reviewed relevant pipeline safety statutes and regulations, including those addressing the safety of pipeline components. GAO interviewed officials from PHMSA and the National Transportation Safety Board, as well as representatives from 10 pipeline operators, six industry associations, four pipeline manufacturers, three standards-setting organizations, and one safety group. GAO selected operators that manage interstate transmission pipelines, but vary in size (number of pipeline miles managed); commodities transported (i.e., natural gas and hazardous liquids); accident history; and geographic location. GAO selected the remaining stakeholders based on, among other things, inclusion in prior GAO reports, recommendations from stakeholders, or references in PHMSA's regulations.

CISA Should Assess the Effectiveness of its Actions to Support the Communications Sector

The Communications Sector is an integral component of the U.S. economy and faces serious physical, cyber-related, and human threats that could affect the operations of local, regional, and national level networks, according to the Department of Homeland Security's (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and sector stakeholders.

The communications sector—comprising mostly private broadcast, cable, satellite, wireless, and wired systems and networks—is vital to national security.

The Cybersecurity and Infrastructure Security Agency supports the security and resilience of this sector, primarily through incident management and information-sharing activities. For instance, the agency coordinates federal activities during severe weather events, and manages cybersecurity programs.

However, the agency has not assessed the effectiveness of its programs and services to support this sector. We recommended that it do so.

In addition, CISA determined that the Communications Sector depends on other critical infrastructure sectors—in particular, the Energy, Information Technology, and Transportation Systems Sectors—and that damage, disruption, or destruction to any one of these sectors could severely impact the operations of the Communications Sector.

CISA primarily supports the Communications Sector through incident management and information-sharing activities, such as coordinating federal activities to support the sector during severe weather events and managing cybersecurity programs, but has not assessed the effectiveness of these actions. For example, CISA has not determined which types of infrastructure owners and operators (e.g., large or small telecommunications service providers) may benefit most from CISA's cybersecurity programs and services or may be underrepresented participants in its information-sharing activities and services. By assessing the effectiveness of its programs and services, CISA would be better positioned to identify its highest priorities.

CISA has also not updated the 2015 Communications Sector-Specific Plan, even though DHS guidance recommends that such plans be updated every 4 years. As a result, the current 2015 plan lacks information on new and emerging threats to the Communications Sector, such as security threats to the communications technology supply chain, and disruptions to position, navigation, and timing services. Developing and issuing an updated plan would enable CISA to set goals, objectives, and priorities that address threats and risks to the sector, and help meet its sector risk management agency responsibilities.

GAO is making three recommendations to CISA, including that CISA assess the effectiveness of its support to the Communications Sector, and revise its Communications Sector-Specific Plan. The Department of Homeland Security concurred with the recommendations. The Department of Commerce and the Federal Communications Commission did not provide comments on the draft report.

The Director of CISA should assess the effectiveness of CISA's programs and services to support the Communications Sector, including developing and implementing metrics and analyzing feedback received from owners and operators, to determine the usefulness and relevance of its activities to support sector security and resilience. (Recommendation 1)

The Director of CISA should complete a capability assessment for Emergency Support Function #2, such as establishing requirements, maintaining a list of current capabilities, and conducting a capability gap analysis to identify if and where other resources may be needed. (Recommendation 2)

The Director of CISA, in coordination with public and private Communications Sector stakeholders, should produce a revised Communications Sector-Specific Plan, to include goals, objectives, and priorities that address new and emerging threats and risks to the Communications Sector and that are in alignment with sector risk management agency responsibilities. (Recommendation 3)

Electricity Grid Resilience

The nation’s grid delivers electricity that is essential for modern life. However, the grid faces risks from events that can damage electrical infrastructure (such as power lines) and communications systems, resulting in power outages. These outages can threaten the nation’s economic and national security.

They can also disproportionately affect low-income groups, in part because such groups have fewer resources to invest in backup generators and other measures to minimize the impact of outages.Even though most of the electricity grid is owned and operated by private industry, the federal government plays a key role in enhancing grid resilience.
• The Department of Homeland Security (DHS) is responsible for coordinating the overall federal effort to promote the security and resilience of the nation’s critical infrastructure sectors.
• The Department of Energy (DOE) leads federal efforts to support electricity grid resilience, including research and technology development by national laboratories.
• The Federal Energy Regulatory Commission (FERC) reviews and approves standards developed by the North American Electric Reliability Corporation, the federally designated U.S. electric reliability organization.

Key Issues
The electricity grid faces multiple risks that can cause widespread power outages.
- Extreme weather and climate change
- Cyber- and physical attacks
- Electromagnetic events

In addition to the risks described in the prior page, the electric utility industry faces complex challenges and transformations, including:
• aging infrastructure;
• adoption of new technologies, such as information and communication systems
to improve the grid’s efficiency; and
• a changing mix of power generation. The traditional model of large, centralized power generators is evolving as retiring generators are replaced with variable wind and solar generators, smaller and more flexible natural gas generators, and nontraditional resources. Such resources include demand-response activities which encourage consumers to reduce their demand for electricity when the cost to generate electricity are high, and various technologies (e.g., solar panels) that generate electricity at or near where it will be used—known as “distributed generation.”

Key Opportunities
Agencies have implemented several of GAO’s recommendations for improving electricity grid resilience. For example, in March 2016, we recommended that DHS designate roles and responsibilities within the department for addressing electromagnetic risks, which DHS did in 2017. However, as of September 2021, agencies had not yet implemented a number of GAO recommendations that represent key opportunities to mitigate risks in the following areas:

- Extreme weather and climate change - Prioritize efforts and target resources effectively. Enhance grid resilience efforts. Better manage climate-related risks
- Cyberattacks - Assess all cybersecurity risks. Address risks to distribution systems Consider changes to current standards. Evaluate potential risks of a coordinated attack

TSA Takes Steps to Address Some Pipeline Security Program Weaknesses

The nation's pipelines are vulnerable to cyber-based attacks due to increased reliance on computerized systems. In May 2021 malicious cyber actors deployed ransomware against Colonial Pipeline's business systems. The company subsequently disconnected certain systems that monitor and control physical pipeline functions so that they would not be compromised.
Protecting the nation's pipeline systems from security threats is a responsibility shared by both the Transportation Security Administration (TSA) and private industry stakeholders. Prior to issuing a cybersecurity directive in May 2021, TSA's efforts included issuing voluntary security guidelines and security reviews of privately owned and operated pipelines. GAO reports in 2018 and 2019 identified some weaknesses in the agency's oversight and guidance, and made 15 recommendations to address these weaknesses. TSA concurred with GAO's recommendations and has addressed most of them, such as clarifying portions of its Pipeline Security Guidelines improving its monitoring of security review performance, and assessing staffing needs.
As of June 2021, TSA had not fully addressed two pipeline cybersecurity-related weaknesses that GAO previously identified. These weaknesses correspond to three of the 15 recommendations from GAO's 2018 and 2019 reports.
Incomplete information for pipeline risk assessments. GAO identified factors that likely limit the usefulness of TSA's risk assessment methodology for prioritizing pipeline security reviews. For example, TSA's risk assessment did not include information consistent with critical infrastructure risk mitigation, such as information on natural hazards and cybersecurity risks. GAO recommended that TSA develop data sources relevant to pipeline threats, vulnerabilities, and consequences of disruptions. As of June 2021, TSA had not fully addressed this recommendation.
Aged protocols for responding to pipeline security incidents. GAO reported in June 2019 that TSA had not revised its 2010 Pipeline Security and Incident Recovery Protocol Plan to reflect changes in pipeline security threats, including those related to cybersecurity. GAO recommended that TSA periodically review, and update its 2010 plan. TSA has begun taking action in response to this recommendation, but has not fully addressed it, as of June 2021.
TSA's May 2021 cybersecurity directive requires that certain pipeline owner/operators assess whether their current operations are consistent with TSA's Guidelines on cybersecurity, identify any gaps and remediation measures, and report the results to TSA and others. TSA's July 2021 cybersecurity directive mandates that certain pipeline owner/operators implement cybersecurity mitigation measures; develop a Cybersecurity Contingency Response Plan in the event of an incident; and undergo an annual cybersecurity architecture design review, among other things. These recent security directives are important requirements for pipeline owner/operators because TSA's Guidelines do not include key mitigation strategies for owner/operators to reference when reviewing their cyber assets. TSA officials told GAO that a timely update to address current cyber threats is appropriate and that they anticipate updating the Guidelines over the next year.

GAO Cybersecurity Report and Recommendations for HHS

The Government Accountability Office (GAO) wants HHS to improve cybersecurity efforts by strengthening collaboration within the department and with the broader healthcare sector.
Health care organizations' IT systems are critical to the nation's well-being. Cyberattacks on them could, for example, put patient privacy at risk or disrupt essential telehealth services. (The nation's cybersecurity is on our High Risk List.)
The Department of Health and Human Services coordinates with health care organizations and others to support cybersecurity efforts. Its policies and procedures clearly describe roles and responsibilities, which is good for collaboration.
GAO is making seven recommendations to HHS to improve its collaboration and coordination within the department and the sector:
1. The HHS secretary should have the CIO overseeing the coordination and sharing of cybersecurity information between the Health Sector Cybersecurity Coordination Center and Healthcare Threat Operations Center.
2. The HHS secretary should order the CIO to monitor, evaluate and report on the progress and performance of the HHS Chief Information Security Officer Council, Continuous Monitoring and Risk Scoring Working Group, and Cloud Security Working Group.
3. HHS should direct the assistant secretary for preparedness and response to monitor, evaluate and report on the progress and performance of the Government Coordinating Council's Cybersecurity Working Group and HHS Cybersecurity Working Group.
4. HHS should have the CIO regularly monitor and update written agreements that describe how the HHS Chief Information Security Officer Council, Continuous Monitoring and Risk Scoring Working Group, and Cloud Security Working Group will collaborate and ensure that officials review and approve the updated agreements.
5. HHS should direct the assistant secretary for preparedness and response to ensure that authorizing officials review and approve the charter describing how the HHS Cybersecurity Working Group will manage collaboration.
6. HHS should have the assistant secretary for preparedness and response do the following: finalize written agreements that include a description of how the Government Coordinating Council's Cybersecurity Working Group will work together; identify the working group's roles and responsibilities; monitor and update the written agreements on a regular basis; and ensure that authorizing officials leading the working group approve the final agreements.
7. HHS should tell the assistant secretary for preparedness and response to update the charter for the Joint Healthcare and Public Health Cybersecurity Working Group for the current fiscal year and ensure that authorizing officials overseeing the group review and approve the updated charter.
1 2