GAO has treated federal cybersecurity as a high-risk area because the same structural failures keep repeating: unclear ownership, weak identity controls, incomplete asset visibility, and recovery that is slow under pressure. The details change each year. The failure modes do not.
| High-risk weakness | What it looks like operationally | Control that changes outcomes |
|---|---|---|
| Identity and access sprawl | Too many admins, weak MFA, and accounts that can reset other accounts | Phishing-resistant sign-in, least privilege, and session revocation discipline |
| Incomplete visibility | No authoritative inventory of devices, apps, and internet-facing services | Owned asset inventory, patch deadlines, and exposure reduction |
| Slow recovery | Backups exist but restores are untested or reachable from compromised admin accounts | Isolated backups plus restore tests and defined recovery owners |
| Governance gaps | Plans exist but there is no central accountability for execution | Named owners, measurable milestones, and enforcement on high-signal controls |
Primary reference: GAO-23-106415 (High Risk Series): improving the cybersecurity of the nation.
Rule of thumb: if you cannot enumerate privileged accounts and force-logout sessions quickly, you do not have containment. Everything else is optimization.
What a "high-risk" label actually means
GAO uses the high-risk program to highlight areas where the government is vulnerable to fraud, waste, abuse, and mismanagement, or where it needs broad transformation. For cybersecurity, the practical translation is that the risk is systemic: it is not one agency forgetting to patch a server. It is that the underlying capability to prevent, detect, and recover is uneven, and the incentives and ownership models do not consistently force improvement.
That matters because systemic weaknesses create scale. Attackers do not need to outsmart every agency. They only need repeatable paths: credential theft, vendor access, and unowned exposure.
Why this matters outside government
Federal capability affects critical infrastructure, supply chains, and the incident ecosystem. But you do not need to be a federal agency to learn from the same patterns. The same weaknesses show up in mid-size businesses and even households:
- The inbox that resets everything is protected by a password and SMS.
- Admin accounts are used for daily browsing and email.
- There is no clean list of what is exposed to the internet.
- Backups exist, but no one has practiced a restore under pressure.
Control plane first: the fastest way to reduce attacker options
When ownership is unclear, the practical workaround is to harden the control plane. The control plane is the set of accounts that can recover or reconfigure everything else: primary email, password manager, identity provider, domain registrar, cloud, and finance.
- Upgrade authentication: prefer passkeys or security keys for admins and the primary inbox.
- Reduce standing privilege: separate admin accounts from daily accounts and remove stale admins.
- Make session revocation normal: after any suspicious event, sign out everywhere and re-issue credentials.
Most high-impact incidents begin when attackers gain the ability to reset passwords, approve logins, or create persistence through sessions and app grants. Control-plane hardening removes those options.
Visibility: the inventory problem that never goes away
Attackers win time when defenders do not know what they own. That is true for federal agencies, but it is also true for a 20-person company. The fastest practical improvements are boring:
- Maintain a single list of internet-facing services with owners and patch deadlines.
- Log admin actions and authentication events centrally where attackers cannot delete them.
- Remove legacy remote access paths and unused VPN accounts.
Visibility is not a dashboard. It is a maintained list with owners. If there is no owner, it will decay, and you will not know you are exposed until an incident forces you to look.
Recovery is a capability, not a document
Ransomware and destructive attacks are expensive because organizations cannot restore cleanly. Backup ownership and isolation are more important than backup volume.
- Backups should not be reachable from everyday admin credentials.
- At least one restore test should be run on a schedule and treated like a production exercise.
- Recovery should have an owner with authority to make tradeoffs under pressure.
The metrics that prove you are getting less vulnerable
Many cybersecurity programs measure activity rather than capability. Capability shows up in a few leading indicators that map directly to attacker options:
- Privileged access count: how many accounts can do irrecoverable damage?
- Session lifetime: how long does a stolen session stay valid?
- Time-to-revoke: how quickly can you force-logouts and rotate credentials?
- Restore confidence: when was the last successful restore test for critical systems?
If those numbers are moving in the right direction, you are actually getting less vulnerable. If they are not, "awareness" work is not changing outcomes.
If you are building an incident plan for a small organization, use what to do if your business or employees are hacked as a baseline.
High-risk designations are not about predicting the next incident. They are about repeating the same work until the system stops failing the same way.
Identity hardening, owned inventory, and tested recovery are the loops that change outcomes. When those exist, vulnerability becomes a curve you can bend rather than a headline you can only react to.
A 90-day plan that improves posture even without perfect leadership
If you want a plan that changes outcomes, it has to be owner-based and measurable. The purpose is to reduce attacker options quickly, not to produce a new policy document.
| Days | Focus | What "done" looks like |
|---|---|---|
| 0 to 14 | Control plane | Primary inbox and all admins protected with phishing-resistant sign-in where possible, recovery methods reviewed, and stale admins removed |
| 15 to 45 | Exposure and patching | Owned inventory of internet-facing services, patch deadlines enforced, and unnecessary exposure reduced |
| 46 to 75 | Recovery readiness | Backups isolated from daily admin accounts, one successful restore test completed for critical systems |
| 76 to 90 | Detection and response | High-signal identity alerts enabled, a written containment sequence, and a tested reporting path for suspicious events |
These steps look simple because they are. They are also the steps that most organizations skip until after a painful incident. High-risk findings exist because execution is hard at scale, not because the controls are mysterious.
Vulnerability decreases when you can revoke access quickly, see what is exposed, and restore cleanly. Those capabilities are measurable, and they are what attackers plan around.
When those capabilities exist, the system becomes resilient even when leadership changes. That is the long-term value of moving from advice to capability.