Federal agencies have not fully incorporated key practices in their cybersecurity risk management programs, according to a new report by the U.S. Government Accountability Office.

Cybersecurity incidents continue to impact federal agencies and entities across various critical infrastructure sectors, according to the report published Thursday. In fiscal year 2017, federal executive branch civilian agencies reported 35,277 incidents, including web-based attacks, phishing and the loss or theft of computing equipment, to the U.S. Computer Emergency Readiness Team.

“These incidents and others like them can pose a serious challenge to economic and national security and personal privacy,” the GAO stated.

In January, for example, the U.S. Department of Justice indicted two Ukrainian men for their roles in an international conspiracy to hack into the Securities and Exchange Commission’s computer systems and profit by trading on critical information they stole.

Key practices include designating a cybersecurity risk executive, developing a risk management strategy and policies, assessing cyber risks and coordinating between cybersecurity and enterprisewide risk management functions, according to the GAO.

All but one of the 23 federal agencies reviewed by the GAO designated a risk executive, with the General Services Administration not defining the role of its cybersecurity risk executive in its policy, according to the GAO. Although GSA officials stated that the agency’s risk executive responsibilities were shared among the chief information officer, chief information security officer, authorizing officials and other GSA officials for risk management, “the agency has not clearly defined or formally documented these roles and responsibilities in agency policy.”

A GSA spokesperson could not be immediately reached for comment.

But none of these agencies fully incorporated the other key practices into their programs, according to the report. For example, 12 out of the 23 agencies had partially or fully developed a cybersecurity risk management strategy that addressed guidance provided by the National Institute of Technology and Standards. The remaining 11 agencies that had not developed an agencywide cybersecurity risk management strategy offered a variety of reasons for not doing so, including difficulty in establishing an agencywide understanding of risk tolerance, among other factors, according to the GAO. Four of these agencies stated that they believed their existing documents and policies constituted a risk management strategy, but GAO determined that these documents did not constitute an integrated strategy that addressed key elements such as risk tolerance and risk mitigation strategies.