Government agencies coordinated in response to the hack, but sharing of information was "often slow, difficult, and time consuming," according to the report. It added that "collecting evidence was limited due to varying levels of data preservation at agencies."
Thursday's report covered both the SolarWinds attack by Russian Foreign Intelligence Service and a Chinese government affiliate's "likely" exploitation of a vulnerability on the Microsoft Exchange Server.
A representative for Microsoft declined to comment. A SolarWinds spokesperson told FOX Business: "Today’s GAO report confirms details previously released about the highly sophisticated SUNBURST attack targeting SolarWinds and other technology companies. Further, the GAO analysis of the National Security Council (NSC) after-action report on the Cyber Unified Coordination Group (UGC) investigation into the SUNBURST attack highlights the criticality of improving public-private engagement, and that coordination and information-sharing needs to be a two-way street between government and the private sector."
"As noted in the report, information sharing between federal agencies and the private sector aided investigations and helped speed up response efforts. We strongly agree enhanced public-private collaboration is necessary to protect the nation's cyberinfrastructure from threats by foreign governments."
House Oversight Reform Chair Rep. Carolyn Maloney, D-N.Y., expressed concern about the GAO's findings and indicated she would propose new legislation.
"More than a year after the discovery of the devastating SolarWinds attack, in which the Russian government was able to gain network access to nine federal agencies, it’s clear that there are still significant gaps in the federal government’s ability to respond to advanced cyberattack," she said in a statement released Thursday.
"It’s troubling that the federal government was still working to remove cyberattackers from agencies’ networks six months after the attack was discovered, and I am alarmed to hear that cyberattackers may still have as-yet-undiscovered access to federal networks."
"The federal government continues to be a top target for nation-state adversaries, and the report released today underscores the urgent need for Congress to update and strengthen the Federal Information Security Management Act, or FISMA. Ranking Member Comer and I have released discussion draft legislation to do just that. I look forward to working with my colleagues on this bipartisan legislation to meet the challenges of the cyber landscape."
The SolarWinds incident has resurfaced considerations of the U.S.' information security apparatus.
The GAO said Thursday it had made a long list of recommendations and was monitoring agencies' progress.
"Since 2010, GAO has made about 3,700 recommendations to agencies aimed at remedying cybersecurity shortcomings," the report read.
"As of November 2021, about 900 of those recommendations had not yet been fully implemented. GAO will continue to monitor federal agencies' progress in fully implementing these recommendations, including those related to software supply chain management and cyber incident management and response."
FOX Business' Bradford Betz contributed to this report.