The GAO released its report of Unimplemented Recommendations, thus revealing possible cybersecurity risks at some cabinet-level agencies. The Government Accountability Office (GAO) laid out two main components that comprised their “priority open recommendations”- 1. Agencies should develop a risk-management framework and 2. Bolster coordination between management divisions in charge of cybersecurity and those responsible for risk management involving their agency’s enterprise.
The US Department of Agriculture (USDA) currently has a subpar response program in place- something highlighted by the GAO in July of 2019 when it was found no strategy had been designed for mitigating cybersecurity vulnerabilities. The USDA responded officially by assuring their strategy’s completion before 2021. In terms of the framework, according to GAO findings, the agency’s IT codes were not adequately labeled.
The system in place at the US State Department, according to the GAO, also contained IT code with inappropriate labels. In terms of a coordination process between cybersecurity and enterprise risk management, the State Dept. responded to the GAO with a claim that the desired level cooperation between their two teams exists- but provided zero evidence. Their succinct answer only included a vague reassurance in that some sort of review of such policies was currently underway.
The Education Department was able to properly label the code in their framework, but it didn’t provide enough detail to meet the GAO’s satisfaction in selecting acceptable strategies when responding to risks. The Department responded by giving a target date of August 21st for this task’s completion.
The Department of the Interior (DOI) was reported to have only a partially established structure of managing enterprise risk, and had no plan yet for collaboration between their cybersecurity and risk management teams. The last communication from the DOI to the GAO on the subject was in January, and promised completion of both priority recommendations by July 31st.
Although not mentioned in the GAO report referenced above, there have been cybersecurity issues involving the Thrift Saving Plan (TSP). A 2011 attack compromised the information of over 100,000 of the retirement plan’s participants. There was also an audit conducted by the Office of the Inspector General (OIG) in 2017 that found glaring vulnerabilities in the plan’s computer systems. With the passage of the TSP Modernization Act that same year, and its implementation in 2019, the Federal retirement plan switched a lot of procedures to computer and internet-based formats, moving away from paper forms. Hopefully, in modernizing the TSP, there was a revamp in cybersecurity protection. The biggest safeguard in use currently by the Federal plan is Two-Factor authentication, where a reliable contact phone number must be established for participants to receive access to their account.
Until Next Time,
**Written by Benjamin Derge, Financial Planner. The information has been obtained from sources considered reliable but we do not guarantee that the foregoing material is accurate or complete. Any opinions are those of Benjamin Derge and not necessarily those of RJFS or Raymond James. Links are being provided for information purposes only. Expressions of opinion are as of this date and are subject to change without notice. Raymond James is not affiliated with and does not endorse, authorize, or sponsor any of the listed websites or their respective sponsors.