A new GAO report released yesterday found that while the Centers for Disease Control and Prevention (CDC) has made progress in implementing its information security program, deficiencies still put agency systems at risk.
The new report comes as a follow-up on an official-use only report from June, which was not released to the public due to “the sensitive information it contained.” The June report made 195 recommendations to CDC, including 184 recommendations on technical security controls. For the report released yesterday, GAO removed all sensitive information from the original report, and included a review of CDC’s implementation of its recommendations.
“Deficiencies existed in the technical controls and agency-wide information security program that were intended to identify risk, protect systems from threats and vulnerabilities, detect cybersecurity events, respond to these events, and recover system operations,” the report notes.
Among CDC’s deficiencies, the agency did not update facility risk assessments, failed to detail the technical specificity needed in policies, lacked facility security plans, had limited capabilities to detect incidents, and was slow to take corrective actions.
On the positive side, GAO found that CDC fully implemented 102 of the 195 recommendations issued in June, and has created action plans to implement the remaining recommendations by September 2019. The update also found that CDC had partially implemented 20 technical recommendations.
“By implementing 102 recommendations, CDC (as of August 3, 2018) reduced some of the risks associated with certain key activities. Specifically, these efforts included protecting network boundaries and logging and monitoring security events for indications of inappropriate or unusual activity on systems,” GAO noted.
In releasing the report, GAO called on CDC to fully implement the rest of the recommendations flagged in June. In its response, CDC noted that cybersecurity remained a priority for the agency, and that the report had helped to accelerate implementation of the Continuous Diagnostics and Mitigation (CDM) program. It also noted that it was in the process of restructuring the cyber program and IT infrastructure of the CIO’s office.