GAO Report: Federal cybersecurity has regressed since 2019

FireEye CEO Kevin Mandia testifies during a congressional hearing last week focused on the SolarWinds hack. File Photo by Drew Angerer/UPI
FireEye CEO Kevin Mandia testifies during a congressional hearing last week focused on the SolarWinds hack. File Photo by Drew Angerer/UPI | License Photo

March 2 (UPI) -- The Government Accountability Office said in its high-risk report published Tuesday that federal cybersecurity's rating has regressed since 2019.

The rating has declined from a met rating in 2019 to a partially met rating in 2021 due to lack of leadership commitment, according to the high-risk report. A partially met rating means some, but not all, necessary actions have been taken for an area to be remove from the agency's high-risk list.


The White House was missing "important characteristics" in its September 2018 National Cyber Strategy and the National Security Council's accompanying June 2019 implementation plan, the report said.

"None of the 24 Chief Financial Officers (CFO) Act agencies have fully implemented best practices for information technology (IT) or cybersecurity workforce planning," the report noted among the gaps. The best practices include "ensuring staff have the skills to address cybersecurity risks and challenges in areas such as industrial control systems supporting the electric grid and avionics security."

Former President Donald Trump's administration also lacked "an officially appointed central leader" for coordinating execution of the White House's approach to managing federal cybersecurity, according to the report.


The 2021 National Defense Authorization Act established such a position, but it hasn't been filled yet.

The GAO identifies high risk areas as government operations with vulnerabilities to fraud, waste, abuse and mismanagement, or those in need of reform to address economy, efficiency or effectiveness challenges.

Other high-risk areas that have regressed since 2019, according to the report, include the U.S. Postal Service, the U.S. Census Bureau, Strategic Capital Human Management, and the Environmental Protection Agency's Process for Assessing and Controlling Toxic Chemicals.

Strategic Capital Human Management's rating similarly declined because of lack of leadership commitment, including absence of Senate confirmed leadership at the U.S. Office of Personnel Management for 18 of the last 24 months, as of January.

The EPA's rating declined because it failed to complete chemical assessment between August 2018 and December 2020 and lacked information on monitoring and implementation.

The USPS regressed because its business model was not financially sustainable.

The Decennial Census rating declined because the Trump administration requested shorter time frames for collection of data, which "increased the risk of compromised data quality," according the report.

Meanwhile, the government is still dealing with the fallout from the SolarWinds hack, which technology executives testified last week was of an unprecedented level of scale and sophistication.


Kevin Mandia, Cybersecurity firm FireEye, which reported the SolarWinds hack after realizing its network had been breached, said hackers installed malicious code into a software update as part of a "multi-decade campaign" by Russian government to infiltrate U.S. businesses and agencies.

Latest Headlines