The United States Government Accountability Office (GAO) says it found 23 federal agencies lack proper cybersecurity measures to address oncoming challenges for the 2020 Presidential Election in a new report.
Although the 23 federal agencies GAO reviewed almost always designated a risk executive, they often did not fully incorporate other key practices in their programs:
- Twenty-two agencies established the role of cybersecurity risk executive, to provide agency-wide management and oversight of risk management.
- Sixteen agencies have not fully established a cybersecurity risk management strategy to delineate the boundaries for risk-based decisions.
- Seventeen agencies have not fully established agency- and system-level policies for assessing, responding to, and monitoring risk.
- Eleven agencies have not fully established a process for assessing agencywide cybersecurity risks based on an aggregation of system-level risks.
- Thirteen agencies have not fully established a process for coordinating between their cybersecurity and ERM programs for managing all major risks.
Additionally, agencies face challenges with:
- Hiring and retaining key cybersecurity management personnel
- Managing competing priorities between operations and cybersecurity
- Establishing and implementing consistent policies and procedures
- Establishing and implementing standardized technology capabilities
- Receiving quality risk data
- Using federal cybersecurity risk management guidance
- Developing an agency-wide risk management strategy
- Incorporating cyber risks into enterprise risk management
To read the full report, click here.
