Skip to main content Skip to footer site map

Addressing GAO's Findings on National Cyber Risk Management Gaps

April 23, 2024

Jonathan Trull

Federal News Network

By Jonathan Trull, Federal News Network / April 22, 2024

Cyber risk management is vital for protecting the nation’s data assets from cyber adversaries. Yet the Government Accountability Office uncovered security gaps in risk management as the agency analyzed the effectiveness of the 2023 National Cybersecurity Strategy.

GAO has pointed out the need for robust guidance to assist federal agencies in evaluating, prioritizing and mitigating cybersecurity risks. This guidance should facilitate coordinated efforts with key players, including state and local governments, the private sector and international allies. The GAO’s report emphasizes the barriers these agencies encounter when enacting cybersecurity risk management processes, such as recruiting and retaining skilled staff, handling multiple priorities concurrently and standardizing cyber capabilities across various platforms and systems.

Furthermore, there is a pressing call for federal agencies to refine their cyber risk evaluation methods. The existing system predominantly relies on the Common Vulnerability Scoring System (CVSS), which assesses the criticality of security vulnerabilities within software applications. Nevertheless, this system comes with its own set of restrictions. Notably, it employs a simplistic, binary threshold that dictates when agencies should implement patches — for instance, mandating updates to systems whenever a vulnerability reaches a score of eight or higher. This method could benefit from a more nuanced approach considering multiple factors, ensuring a more sophisticated and effective response to cybersecurity threats.

Read the rest of the article here: