GAO looked at agencies' system security plans, the results of security control assessments, remedial action plans and whether or not they followed NIST cybersecurity guidance.