Skip to main content

Information Security

Jump To:

Recent Reports

View More Reports

Open Recommendations

Spectrum IT Modernization: NTIA Should Fully Incorporate Cybersecurity and Interoperability Practices
GAO-25-107509
May 22, 2025
Show
5 Open Recommendations
Agency Affected Recommendation Status
National Telecommunications and Information Administration The NTIA Administrator should direct the IT Division in the Office of Policy Coordination and Management to work with the Office of Spectrum Management to develop an organizational risk management strategy that includes a determination of organizational risk tolerance, acceptable risk assessment methodologies, and details on strategies for responding to risks (such as risk acceptance, mitigation, or avoidance). (Recommendation 1)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
National Telecommunications and Information Administration The NTIA Administrator should direct the IT Division in the Office of Policy Coordination and Management to work with the Office of Spectrum Management to develop an organizational risk assessment that leverages aggregated information from system-level risk assessment results and risk considerations relevant at the organization level. (Recommendation 2)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
National Telecommunications and Information Administration The NTIA Administrator should direct the IT Division in the Office of Policy Coordination and Management to work with the Department of Commerce and the NTIA Office of Spectrum Management to ensure and document that system security plans for NTIA's spectrum IT systems are reviewed, at a minimum, annually, and include logs detailing the date of review and resulting changes. (Recommendation 3)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
National Telecommunications and Information Administration The NTIA Administrator should direct the IT Division in the Office of Policy Coordination and Management to work with the Office of Spectrum Management to fully document identity, credential, and access management procedures for its cloud systems, including identification of authorized users and their roles, and associated access privileges, for each of its spectrum IT legacy systems. (Recommendation 4)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
National Telecommunications and Information Administration The NTIA Administrator should direct the IT Division in the Office of Policy Coordination and Management to work with the Office of Spectrum Management to specify a time frame for developing a data governance plan that resolves conflicts related to the application of NTIA's new data standard and defines roles and responsibilities for making decisions regarding the standard. (Recommendation 5)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Human Genomic Data: HHS Could Better Track Use of Foreign Testing Entities and Strengthen Oversight of Security Measures
GAO-25-107377
Apr 30, 2025
Show
4 Open Recommendations
Agency Affected Recommendation Status
Department of Health and Human Services The Secretary of HHS should direct that ONS develop and disseminate training and guidance on supply chain risk assessment standards that enable operating divisions to implement effective risk management for genomic data security while maintaining a focus on their core missions. (Recommendation 1)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
National Institutes of Health The director of NIH should direct that NIH begin systematically tracking the extent to which intramural and extramural researchers use genetic services provided by entities with ties to countries of concern. (Recommendation 2)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
National Institutes of Health The director of NIH should require the development and implementation of procedures to proactively and comprehensively monitor researcher compliance with data management and security measures for human genomic data. (Recommendation 3)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Centers for Disease Control and Prevention The director of CDC should direct CDC to develop and implement procedures, across all its centers that maintain restricted-access repositories with human genomic information, to proactively and comprehensively monitor researcher compliance with data management and security measures. (Recommendation 4)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Internet of Things: Federal Actions Needed to Address Legislative Requirements
GAO-25-107179
Dec 04, 2024
Show
11 Open Recommendations
Agency Affected Recommendation Status
Office of Management and Budget The Director of OMB should verify agency-reported IoT cybersecurity waivers. (Recommendation 1)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Education The Secretary of Education should direct the CIO to complete the covered IoT inventory within the revised time frame it has proposed. (Recommendation 2)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Health and Human Services The Secretary of HHS should direct the CIO to complete the covered IoT inventory within the revised time frame it has proposed. (Recommendation 3)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Labor The Secretary of Labor should direct the CIO to establish a plan and time frame for completing the covered IoT inventory, as directed by OMB. (Recommendation 4)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Veterans Affairs The Secretary of Veterans Affairs should direct the CIO to establish a plan and time frame for completing the covered IoT inventory, as directed by OMB. (Recommendation 5)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Environmental Protection Agency The Administrator of the Environmental Protection Agency should direct the CIO to complete the covered IoT inventory within the revised time frame it has proposed. (Recommendation 6)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Future of Cybersecurity: Leadership Needed to Fully Define Quantum Threat Mitigation Strategy
GAO-25-107703
Nov 21, 2024
Show
1 Open Recommendations
Agency Affected Recommendation Status
Office of the National Cyber Director The National Cyber Director should (1) lead the coordination of the national quantum computing cybersecurity strategy and (2) ensure that the strategy's various documents address all the desirable characteristics of a national strategy. (Recommendation 1)
Open
ONCD did not agree or disagree with this recommendation and has not taken action to address it. In February 2025, ONCD stated that, although the office is open to leading the development of a National Quantum Computing Cybersecurity Strategy, this would ultimately depend on the concurrence of the new National Cyber Director. We will continue to evaluate the ONCD's progress in implementing this recommendation.
View More Recommendations

Related Pages

GAO Contacts