The Government Accountability Office said Thursday that U.S. federal departments have implemented just 40% of the cybersecurity recommendations the watchdog agency has issued since 2010.
The lethargic pace in which government agencies put in place cybersecurity precautions and best practices underlines the need for the Biden administration to “urgently” release a comprehensive national cybersecurity strategy with effective oversight, the GAO said in its report.
The GAO said that the updated national cybersecurity strategy, which the administration is reportedly planning to release soon, should address key “desirable characteristics of national strategies” such as performance measures that was missing in President Trump’s 2018 cybersecurity strategy.
“We stressed that moving forward, the incoming administration needed to either update the existing strategy and plan or develop a new comprehensive strategy that addresses those characteristics,” the report noted.
The GAO noted that only about 145 of its 335 recommendations have been put in place. The agency recommended such actions establishing the national cyber director and the General Service Administration updating their security plans.
The report is the first in a four-part series the GAO plans to release reviewing gaps in the federal government’s approach to cybersecurity policy. One area of concern that the agency pointed out involved supply chain management. It noted that no federal agency has fully implemented its supply chain guidance.
The Office of Management and Budget and the Department of Homeland Security, meanwhile, have only partially addressed recommendations to solve the cybersecurity workforce shortage, according to the report. While both agencies have addressed some aspects such as training employees to fill vacant positions and streamlining the hiring process, neither have established an implementation team or plan to address workforce shortages.
“Without these practices in place, OMB and DHS will likely be unable to make significant progress towards solving the cybersecurity workforce shortage,” the GAO wrote.
Additionally, the GAO said that while efforts to better secure operational technology and internet-connected devices are underway, the Departments of Energy, Health and Human Services and DHS have not effectively established performance metrics for these initiatives.
The forthcoming Biden cybersecurity plan is expected to call for new cybersecurity mandates that could impose cybersecurity regulations on critical infrastructure organizations. After a spree of high-profile attacks such as the Colonial Pipeline ransomware attack, policymakers have called for an end of voluntary recommendations for the vital industries.