Cybersecurity: Actions Needed to Strengthen U.S. Capabilities, Statement of Gregory C. Wilshusen, Director, Information Security Issues, Testimony Before the Subcommittee on Research and Technology, Committee on Science, Space, and Technology, House of Representatives [open pdf - 282KB]
"Cyber-based intrusions and attacks on federal systems and systems supporting our nation's critical infrastructure, such as communications and financial services, are evolving and becoming more sophisticated. GAO [Government Accountability Office] first designated information security as a government-wide high-risk area in 1997. This was expanded to include the protection of cyber critical infrastructure in 2003 and protecting the privacy of personally identifiable information in 2015. This statement (1) provides an overview of GAO's work related to cybersecurity of the federal government and the nation's critical infrastructure and (2) identifies areas of consistency between GAO recommendations and those recently made by the Cybersecurity Commission and CSIS [Center for Strategic & International Studies]. In preparing this statement, GAO relied on previously published work and its review of the two recent reports issued by the Commission and CSIS. [...] Over the past several years, GAO has made about 2,500 recommendations to federal agencies to enhance their information security programs and controls. As of February 2017, about 1,000 recommendations had not been implemented."
Government Accountability Office: http://www.gao.gov/