Four Cabinet-level agencies are working to finalize risk-management strategies and improve internal cybersecurity coordination by this fall at the behest of the Government Accountability Office, according to new reports released by the watchdog this month.
According to the “priority open recommendations” reports, which detail the GAO’s top unimplemented recommendations to an agency, the departments of Agriculture, Education, State and the Interior aim to create enterprise risk-management frameworks and improve coordination between cybersecurity management teams and enterprise risk-management teams.
A July 2019 GAO report found the Department of Agriculture needed to implement a cybersecurity risk-management strategy to fully complete its cybersecurity risk-management program.
According to the open recommendation for USDA, the current program was missing “key elements such as a statement of risk tolerance and how the agency intends to assess, respond to, and monitor cyber risks.”
As of February, USDA told GAO that it is developing a plan to integrate risk-management practices into its cybersecurity program. The department was also working to increase coordination between its enterprise risk-management team and cybersecurity team.
The GAO also found in July that the Department of the Interior hadn’t fully established its enterprise risk-management (ERM) structure or laid out a plan to coordinate cybersecurity risk management with the ERM team. Interior officials told the GAO in January that the department plans to complete the effort by July 31, 2020.
“Given the increasing number and sophistication of cyber threats facing federal agencies, it is critical that agencies be well positioned to make consistent, informed, risk-based decisions in protecting their systems and information against these threats,” GAO officials wrote to the Department of the Interior. “The inconsistent establishment of cybersecurity risk management practices can be partially attributed to challenges agencies identify in establishing and implementing their cybersecurity risk management programs.”
The Department of Education, meanwhile, updated its cybersecurity risk-management framework in March to include its risk appetite and tolerance. However, the GAO found, the updated framework doesn’t define “in detail” acceptable risk response strategies and how they are selected. The department told the GAO this would be updated by Aug. 21.
The State Department also hadn’t created a coordination process between its cybersecurity risk-management and enterprise risk-management functions. The department told the GAO that coordination does occur, though it was unable to produce evidence. The GAO said the department is working to update policy and procedures, but there was no concrete timeline.
At the both the State Department and USDA, the GAO found they weren’t adequately labeling appropriate codes in IT and cyber-related jobs. The GAO recommended to both agencies that they implement the National Initiative for Cybersecurity Education’s work role codes that would more reliably identify agencies’ critical workforce needs.
USDA told the GAO it plans to complete the work by the fall, while the State Department is “reviewing” its policies.
“Assigning work roles that are inconsistent with IT, cybersecurity, and cyber-related positions diminishes the reliability of the information State needs to improve workforce planning,” the GAO wrote to the State Department.
Andrew Eversden covers all things defense technology for C4ISRNET. He previously reported on federal IT and cybersecurity for Federal Times and Fifth Domain, and worked as a congressional reporting fellow for the Texas Tribune. He was also a Washington intern for the Durango Herald. Andrew is a graduate of American University.