GAO will expand its cybersecurity auditing operations, adds new tech team
With cybersecurity’s role in the federal government continuing to grow, the Government Accountability Office is looking to reshuffle resources to expand its auditing reach.
Gregory Wilshusen, GAO’s director of information security issues, said Friday that the office will increase its cybersecurity oversight capabilities in the coming year to meet its enlarging impact on federal management.
The shift includes rebranding the IT team to the IT & Cybersecurity team, pooling leadership resources and adding personnel with the standup of a separate science and technology team to examine the potential impacts of emerging technologies.
“It’s just, I think, a recognition and part of the comptroller general’s vision of expanding our work and providing these services to the Congress going forward,” Wilshusen told FedScoop at an ACT-IAC meeting Friday. “Because they are going to need to know more about the implications of these different technologies.”
Wilshusen, who has overseen much of the GAO’s auditing work on cybersecurity, said the shift will include detailing more directors within the agency’s IT team to conduct audit work on multiple cybersecurity issues. He said Nick Marinos, GAO’s director of cybersecurity and information management, will oversee audits into critical infrastructure, privacy and data security protection.
Vijay D’Souza, director of GAO’s Center for Enhanced Analytics, will help lead audit teams examining federal information security and cybersecurity, while Carol Harris, director for information technology acquisition management issues, will explore how agencies are incorporating cyber in the early stages of the procurement lifecycle.
“We will also be supporting other teams within GAO that will be looking at different programs where they might have a cybersecurity aspect to the review of that program,” Wilshusen said, noting that because of cyber’s increasing role in federal operations, its reach could extend beyond the IT team, requiring more collaboration.
The move doesn’t necessarily change GAO’s role in reviewing federal technology efforts as much as it provides more resources to it. Harris and Marinos recently assumed leadership roles over IT acquisition and census oversight, respectively, following the departure of Dave Powner, former director of information technology issues, in August.
The S&T team will assume GAO’s role in assessing new technologies and informing Congress of their potential impacts, as well as exploring more innovative audit methods using analytics.
The IT and cybersecurity team will still examine the cyber impacts of emerging technologies, he said, with S&T looking at their overall impacts.
The expansion, which is expected to mostly take shape in early 2019, comes as GAO is also finalizing a number of reports touching on cloud and cyber-operations.
Wilshusen specifically pointed to the release of a report examining the challenges and benefits of the Federal Risk and Authorization Management Program (FedRAMP) from the perspective of cloud service providers and federal agencies. That report will also look at how well agencies are securing their information in cloud environments, he said.
“We selected a sample of cloud security packages, looked at security control assessments, the delineation of security responsibilities between agencies and the cloud services providers and are going to be reporting that too,” he said.
GAO is also expected to release a report detailing agency implementation of the Continuous Diagnostics and Mitigation program sometime in 2019.