In releasing a batch of letters on priority open recommendations, the Government Accountability Office (GAO) highlighted IT and cybersecurity issues at the Departments of Education (Ed), Housing and Urban Development (HUD), the Treasury, and the Office Personnel Management (OPM).
Department of Education: Review College’s Cyber Programs
In a recommendation from a November 2017 report, GAO recommended that Education include information security procedures into its wider program of postsecondary schools, which the department agreed with. Education took steps to assess compliance with requirements during audits and notify the agency when the reviewer sees any violations, but did not fully implement cybersecurity compliance reviews in its annual audits, leaving the recommendation open.
HUD Faces Two Recommendations on IT Governance
GAO highlighted two recommendations for HUD from 2014 that have yet to be implemented on IT governance.
On cost savings, GAO recommended that HUD establish a process for tracking data on savings from IT investments, which HUD agreed with. While HUD did implement its HUDPLUS system, GAO noted that there are no processes to effectively use HUDPLUS to track savings.
On modernization, GAO recommended that HUD define the scope, implementation strategy, and schedule for its modernization approach. While HUD agreed with the recommendation and is conducting a technical assessment, GAO noted that HUD has not developed an approach that explicitly describes how it plans to modernize its IT environment.
Treasury Pushed to Act on Workforce, Cyber
The Treasury faces two open priority recommendations on IT, relating to workforce planning and cybersecurity.
On IT workforce planning, GAO recommended the CIO, chief human capital officer, and other senior managers work on a plan to address shortfalls back in 2016. Treasury agreed with the recommendation and has made progress, but has not developed a comprehensive plan.
On cybersecurity, GAO pushed Treasury to work with the Department of Homeland Security and the National Institute of Standards and Technology (NIST) on setting methods for the adoption of the NIST Cybersecurity Framework in the financial sector in February 2018. While Treasury neither agreed or disagreed with the recommendation, the department is working with NIST to discuss developing a methodology for framework adoption, which GAO encouraged to continue.
OPM Must Strengthen Security Controls
Finally, GAO emphasized five open recommendations at OPM on security controls and training.
Stemming from a 2016 report, GAO noted that OPM should update security plans for selected systems to address all controls for high-impact systems, as well as re-evaluate security control assessments and provide specialized training for all individuals with significant security responsibilities. OPM aims to have an automated system for security controls and assessments, and is working with a vendor to develop training requirements, but disagreed with the recommendation on re-evaluating security controls, and has not made progress in that area according to GAO.
In a 2017 report, GAO pushed OPM to validate evidence from US-CERT recommendations faster, and implement training for individuals working on the CDM (Continuous Diagnostics and Mitigation) program. OPM cited the automated system coming into place, and noted that it is working with a vendor to develop requirements for role-based training.