A government watchdog reported Tuesday four key federal agencies are still struggling to implement cybersecurity controls, and warned that their data will be at risk until these controls are put in place.
The agencies are NASA, the Nuclear Regulatory Commission, the Office of Personnel Management, and the Department of Veterans Affairs.
“Until the selected agencies address weaknesses in access and other controls, including fully implementing elements of their information security programs, the sensitive data maintained on selected systems will be at increased risk of unauthorized access, modification, and disclosure, and the systems at risk of disruption,” the Government Accountability Office said in a new report.
The government has provided guidance and established minimum security requirements for these agencies, but the four agencies have had trouble implementing them. GAO said these agencies have “not always effectively implemented access controls.”
GAO recommended that all four agencies fully implement their cybersecurity programs, and said most of the four agencies agreed with that recommendation. However, it said OPM didn’t agree with the recommendation to evaluate security control assessments.
GAO surveyed 24 federal agencies for its report, and said 18 of them have “high-impact” systems, meaning that they store highly sensitive information. GAO said the loss of that information “could cause individuals, the government, or the nation catastrophic harm.”
Most federal agencies see cyberattacks from other countries as “the most serious and most frequently-occurring threat to the security of their systems.” It also added that attacks delivered by email were the “most serious and frequent.”
The report said 11 of the 18 agencies with high-impact systems reported 2,267 incidents that affected their high-impact servers. Nearly 500 of those incidents were attempts to install malicious code.
