Government agencies need to improve their cybersecurity posture. A report by the Government Accountability Office (GAO) found that many government agencies are still vulnerable to cyberattacks. The report found that agencies need to do more to implement security controls, such as conducting regular penetration testing.
The report, titled Cybersecurity: Federal Agencies Need to Implement Recommendations to Manage Supply Chain Risks, was released on March 25, 2022. It examined the extent to which 23 federal agencies have implemented GAO’s previous recommendations on cybersecurity, especially those related to supply chain risks.
The report found that, as of December 2021, agencies had implemented only 61% of the 3,300 cybersecurity recommendations that GAO had made since 2010. Of these, only 23% were priority recommendations, meaning that they warranted urgent attention from agency heads. The report also found that agencies had not fully implemented 69% of the 145 recommendations related to supply chain risks.
The report highlighted some of the major cyber incidents that affected federal agencies in 2021, such as the SolarWinds breach, the Microsoft Exchange hack, and the Colonial Pipeline ransomware attack. These incidents demonstrated the potential impact of supply chain risks on the security and operations of federal agencies and critical infrastructure.
The report called for immediate actions by agencies to address identified cybersecurity gaps, recommending the establishment of supply chain risk management policies, implementation of security controls like encryption and password policies, routine penetration testing and vulnerability scanning, and staff education to recognize and thwart phishing and social engineering attempts.
They contain malicious links or attachments that can infect the recipients’ devices with malware or steal their credentials. Social engineering is a technique that involves manipulating or deceiving people into divulging sensitive information or performing actions that can compromise their systems or networks.
The report also called for more oversight and coordination from the Office of Management and Budget (OMB) and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA).
The report emphasized the need for OMB and CISA to oversee agency progress in implementing GAO’s cybersecurity recommendations, particularly those concerning supply chain risks, and to offer additional support through guidance, resources, and enhanced collaboration and information-sharing among federal agencies and critical infrastructure sectors on cybersecurity matters.