The Government Accountability Office has called on the Department of State’s chief information officer to address 95 open recommendations related to cybersecurity and IT acquisition and management.
In a report published Wednesday, the congressional watchdog said implementing the recommendations will enable the State Department to deter threats, improve programs, save taxpayer dollars and ensure compliance with relevant regulations.
Explore the advanced technologies that agencies are using to modernize processes at the Potomac Officers Club’s 2026 Digital Transformation Summit on April 22. At the event, you will hear directly from government and industry leaders about ongoing initiatives and future strategies to harness cutting-edge tools to support mission execution. Get your tickets today.
What Are GAO’s Key Recommendations for the State Department?
GAO identified two priority recommendations that require immediate action.
The first priority recommendation calls for a department-wide risk portfolio to eliminate gaps in its understanding of cyberthreats and ensure that it can protect its systems.
The second priority recommendation is about validating that all IT systems are authorized to operate within the department.
GAO also urged the State CIO to implement technical security controls such as comprehensive event logging, complete annual reviews of its IT portfolio, develop strategies to attract and retain IT talent and consistently track software license usage.
Which Agencies Have Received CIO Recommendations From GAO?
GAO previously called on other agency chief information officers to address cybersecurity and IT management deficiencies. In a 2025 report, the watchdog urged the Treasury Department’s CIO to resolve 21 open recommendations tied to multifactor authentication implementation, event logging requirements, mobile device inventory management and other issues. GAO also recommended that Treasury ensure its artificial intelligence applications comply with Executive Order 13960.
GAO issued a similar guidance to the Small Business Administration, calling on the agency’s CIO to address 20 open recommendations designated as high risk. The recommendations for SBA include actions to strengthen privacy workforce management, improve project risk mitigation and resolve cybersecurity and IT control deficiencies.
