The Government Accountability Office (GAO) scolded a trio of federal agencies on Monday because their CIOs haven’t implemented IT-related recommendations designed to safeguard national cybersecurity.
The GAO flagged failures at the General Services Administration (GSA), Environmental Protection Agency (EPA), and Department of Homeland Security (DHS) in the three reports, with each guilty of not implementing more recommendations than the last. The DHS’ CIO, in particular, has 43 unresolved recommendations from as far back as 2018, seven of which the GAO identified as priority matters. The GSA only has four outstanding items, while the EPA has 11.
While the recommendation implementation failures vary per agency, a couple of commonalities emerged in all three reports, namely the GSA, EPA, and DHS’ collective failure to properly log cybersecurity events and conduct annual IT portfolio reviews, both of which are required under various policies.
Aside from those similarities, how the agencies have fallen behind on implementing GAO IT recommendations varies.
The GSA got off the easiest, with its two other recommendations pertaining to proper implementation of Trump’s 2020 executive order on AI that requires agencies to report their AI use cases and asks them to match all AI deployments to a particular purpose. DHS got called out for the same shortcoming.
The EPA has cloud software management problems
Of the EPA’s 11 outstanding GAO recommendations, several pertain to bad cloud software management.
According to the report, the EPA hasn’t bothered to submit required documentation to the FedRAMP program office to ensure it’s complying with that program’s cloud security requirements, nor has it bothered to maintain a list of corrective actions being taken to track weaknesses in said platforms.
Speaking of cloud services, it doesn’t appear that the EPA has been maintaining proper service level agreements with the cloud providers it does business with either. The EPA also hasn’t bothered to identify which IT systems may be ready for replacement, hasn’t looked into whether its air quality systems need an update, and hasn’t conducted a requested inventory of its IoT devices in time to meet a deadline.
Finally, the GAO said that the EPA still hasn’t established a process for conducting an organization-wide cybersecurity risk assessment, despite first being asked to do so in 2018.
DHS still has an unstable HART beat
You may recall that, in 2023, we reported on a number of shortcomings in the DHS’ Homeland Advanced Recognition Technology, or HART, program identified by the GAO. All nine HART recommendations remain open, signaling that DHS has not yet implemented any of them.
Per yesterday’s report, HART is still behind schedule without a proper accounting of costs, resolution of privacy concerns, or establishment of proper privacy controls. It doesn’t even have sufficient documentation on how it’ll maintain security for all of the PII stored in HART systems.
But that’s not all.
DHS is apparently also not properly coordinating with the federal CIO on “high-risk IT investment reviews” as required by federal regulation, hasn’t established Agile software development training requirements despite being required to do so, and hasn’t transitioned its systems to IPv6 despite requirements.