"Sector-specific agencies (SSA) determined… that cyber risk was significant for 11 of 15 sectors," the report, released on Thursday, stated.
US agencies or government departments for 12 of the 15 sectors had not identified incentives to promote cybersecurity in their sectors and three of the sectors had not yet made significant progress in advancing cyber-based research and development, the GAO stated.
Agencies or departments for 12 of the 15 sectors "had not developed metrics to measure and report on the effectiveness of all of their cyber risk mitigation activities or their sectors' cybersecurity posture," the report said.
The agencies reviewed are responsible for protecting US critical infrastructure, such as financial institutions, commercial buildings, and energy production and transmission facilities vital to the nation's security, economy and public health and safety, the GAO said.