Only two of six cybersecurity recommendations by the Government Accountability Office have been either partially or completely fulfilled by the Transportation Security Administration over the past six years, reports The Record, a news site by cybersecurity firm Recorded Future.

Despite already completing short- and long-term cyber workforce expansion strategies, TSA has yet to finalize the inclusion of cybersecurity into an update for its 14-year-old Pipeline Security and Incident Recovery Protocol Plan, according to a GAO report. Meanwhile, TSA has not yet acted to implement recommendations to gauge ransomware-related support and cyber best practices adherence in the transportation sector, develop sector-specific guidance on ensuring internet-exposed device security, and evaluate operational technology-specific cybersecurity evaluations. Such a report comes as TSA was criticized by industry leaders regarding a proposed rule that would compel the submission of sensitive security information. “No system is perfectly secure, and aggregating so much vital information in one location would create a massive security vulnerability to the pipeline owners/operators with no corresponding benefit,” said Kimberly Denbow of the American Gas Association at a House Homeland Security Subcommittee on Transportation and Maritime Security hearing.