The Federal Trade Commission is one of six small agencies GAO audited for cybersecurity measures. (PAUL J. RICHARDS / AFP/Getty Images)
Some smaller agency information systems could be at risk of cyber threats, according to a June 25 report by the Government Accountability Office.
GAO reviewed the information security and privacy procedures and policies at six small agencies and found they have not implemented certain safeguards and security procedures as required by law.
The agencies included the Federal Retirement Thrift Investment Board, the Federal Trade Commission, the International Boundary Commission, the James Madison Memorial Fellowship Foundation, the National Capital Planning Commission and the National Endowment for the Humanities.
“Although the small agencies we reviewed have taken steps to develop information security and privacy programs, weaknesses existed that threatened the confidentiality, integrity and availability of their information and systems,” GAO wrote in the report.
Four out of the six agencies developed and conducted risk assessments while two did not. However, the risk assessments were at times infrequent and outdated and often lacking in recommendations for corrective actions agencies could take to boost security, according to the GAO.
Only one agency out of six fully implemented policies and procedures to report cyber threats and incidents, while for the other agencies, the procedures were incomplete or nonexistent.
For security reasons, GAO did not specify which agencies had or had not implemented specific measures.
GAO recommended in the report that the Office of Management and Budget include in its annual report to Congress the status of agency implementation of information security policies and procedures. The Department of Homeland Security should also develop services and guidance targeted toward small agencies.