Skip to main content

Cyberspace Policy: Executive Branch Is Making Progress Implementing 2009 Policy Review Recommendations, but Sustained Leadership Is Needed

GAO-11-24 Published: Oct 06, 2010. Publicly Released: Oct 06, 2010.
Jump To:
Skip to Highlights

Highlights

To address pervasive computer-based (cyber) attacks against the United States that posed potentially devastating impacts to systems and operations, the federal government has developed policies and strategies intended to combat these threats. A recent key development was in February 2009, when President Obama initiated a review of the government's overall strategy and supporting activities with the aim of assessing U.S. policies and structures for cybersecurity. The resulting policy review report--issued by the President in May 2009--provided 24 near- and mid-term recommendations to address these threats. GAO was asked to assess the implementation status of the 24 recommendations. In doing so, GAO, among other things, analyzed the policy review report and assessed agency documentation and interviewed agency officials.

Of the 24 recommendations in the President's May 2009 cyber policy review report, 2 have been fully implemented, and 22 have been partially implemented. The two fully implemented recommendations involve appointing within the National Security Council a cybersecurity policy official (Special Assistant to the President and Cybersecurity Coordinator) responsible for coordinating the nation's cybersecurity policies and activities, and a privacy and civil liberties official. Examples of partially implemented recommendations include: (1) Build a cybersecurity-based identity management vision and strategy that addresses privacy and civil liberties, leveraging privacy-enhancing technologies for the nation: In June 2010, the administration released a draft strategy (entitled National Strategy for Trusted Identities in Cyberspace) that seeks to increase trust associated with the identities of individuals, organizations, services, and devices involved in financial and other types of online transactions, as well as address privacy and civil liberty issues associated with identity management. It plans to finalize the strategy in October 2010. (2) Develop a framework for research and development strategies: The administration's Office of Science and Technology Policy (which is within the Executive Office of the President) has efforts under way to develop a framework for research and development strategies, which as currently envisioned includes three key cybersecurity research and development themes, but is not expected to be finalized until 2011. Officials from key agencies involved in these cybersecurity efforts, (e.g., the Departments of Defense and Homeland Security and the Office of Management and Budget) attribute the partial implementation status of the 22 recommendations in part to the fact that agencies are moving slowly because they have not been assigned roles and responsibilities with regard to recommendation implementation. Specifically, although the policy review report calls for the cybersecurity policy official to assign roles and responsibilities, agency officials stated they have yet to receive this tasking and attribute this to the fact that the cybersecurity policy official position was vacant for 7 months. In addition, officials stated that several mid-term recommendations are broad in nature, and agencies state they will require action over multiple years before they are fully implemented. This notwithstanding, federal agencies reported they have efforts planned or under way that are aimed toward implementing the 22 partially implemented recommendations. While these efforts appear to be steps forward, agencies were largely not able to provide milestones and plans that showed when and how implementation of the recommendations was to occur. Specifically, 16 of the 22 near- and mid-term recommendations did not have milestones and plans for implementation. Consequently, until roles and responsibilities are made clear and the schedule and planning shortfalls identified above are adequately addressed, there is increased risk the recommendations will not be successfully completed, which would unnecessarily place the country's cyber infrastructure at risk. GAO recommends that the national Cybersecurity Coordinator designates roles and responsibilities and develops milestones and plans for the recommendations that lacked these key planning elements. The Cybersecurity Coordinator's office provided no comments on the conclusions and recommendations in this report; the office did cite recent progress being made on cybersecurity research and development and education that is consistent with GAO's report.

Recommendations

Recommendations for Executive Action

Agency Affected Recommendation Status
Cybersecurity The Special Assistant to the President and Cybersecurity Coordinator, as part of implementing the 22 outstanding recommendations, should designate roles and responsibilities for each recommendation, including which agencies are leading and supporting the effort.
Closed – Implemented
The Executive Office of the President (EOP) agreed with our recommendations to designate roles and responsibilities for the 22 near-term and mid-term cybersecurity review recommendations. The EOP reported that all 10 near-term recommendations are implemented and that all 12 mid-term recommendations had been addressed, but some had not been implemented. We determined that the Administration had established roles and responsibilities for organizations to carry out 14 of the 22 recommendations. For example, to address a cybersecurity review recommendation, the Office of Management and Budget was responsible for establishing interim Cross-Agency Priority (CAP) Goals in February 2012 as performance metrics, including cybersecurity. In March 2014, the Administration released a new set of goals including an update to the cybersecurity CAP goals. In addition, the National Institute of Standards and Technology was responsible for addressing a recommendation on workforce issues and developed and released the National Cybersecurity Workforce Framework. Also, the Department of State led, in collaboration with other federal agencies, the development of the International Strategy for Cyberspace that the EOP released in May 2011 to address a recommendation about improving the nation's approach of engaging internationally with respect to cybersecurity. With respect to identity management, the Administration also released the Trusted Identities in Cyberspace in April 2011, which instructed the Secretary of Commerce to establish within the Department of Commerce an inter-agency office charged with achieving the goals of the strategy. As a majority of the 22 outstanding recommendations are closed and each effort had agencies and officials leading and supporting those efforts, we determined that roles and responsibilities were designated; thus, the intent of the recommendation was substantially implemented.
Cybersecurity The Special Assistant to the President and Cybersecurity Coordinator, as part of implementing the 22 outstanding recommendations, should develop milestones and plans, including measures to show agency implementation progress and performance, for the 16 recommendations that lacked these key planning elements.
Closed – Not Implemented
Though the Administration took actions to implement the outstanding cybersecurity review recommendations that we identified in the report, we were unable to identify specific milestones and plans, including measures to show agency implementation progress and performance. Specifically, for a majority of the 16 recommendations that lacked these key planning elements, evidence of milestones or plans were not provided. Based on this, the recommendation was not implemented.

Full Report

Office of Public Affairs

Topics

Computer securityCritical infrastructureHomeland securityInformation systemsInformation technologyPolicy evaluationResearch and developmentRisk managementSchedule slippagesSecurity assessmentsSecurity threatsStrategic information systems planningSystem vulnerabilitiesTechnologyAudit recommendationsPolicies and proceduresCybersecurity