Cybersecurity: DHS's National Integration Center Generally Performs Required Functions but Needs to Evaluate Its Activities More Completely
Highlights
What GAO Found
The National Cybersecurity and Communications Integration Center (NCCIC) of the Department of Homeland Security (DHS) has taken steps to perform each of its 11 statutorily required cybersecurity functions, such as being a federal civilian interface for sharing cybersecurity-related information with federal and nonfederal entities. It manages several programs that provide data used in developing 43 products and services in support of the functions. The programs include monitoring network traffic entering and exiting federal agency networks and analyzing computer network vulnerabilities and threats. The products and services are provided to its customers in the private sector; federal, state, local, tribal, and territorial government entities; and other partner organizations. For example, NCCIC issues indicator bulletins, which can contain information related to cyber threat indicators, defensive measures, and cybersecurity risks and incidents and help to fulfill its function to coordinate the sharing of such information across the government.
The National Cybersecurity Protection Act also required NCCIC to carry out its functions in accordance with nine implementing principles, to the extent practicable. However, the extent to which NCCIC adhered to the 9 principles when performing the functions is unclear because the center has not yet determined the applicability of the principles to all 11 functions, or established metrics and methods by which to evaluate its performance against the principles. GAO identified instances where NCCIC had implemented its functions in accordance with one or more of the principles. For example, consistent with the principle that it seek and receive appropriate consideration from industry sector-specific, academic, and national laboratory expertise, NCCIC coordinated with contacts from industry, academia, and the national laboratories to develop and disseminate vulnerability alerts. On the other hand, GAO also identified instances where the cybersecurity functions were not performed in accordance with the principles. For example, NCCIC is to provide timely technical assistance, risk management support, and incident response capabilities to federal and nonfederal entities; however, it had not established measures or other procedures for ensuring the timeliness of these assessments. Until NCCIC determines the applicability of the principles to its functions and develops metrics and methods to evaluate its performance against the principles, the center cannot ensure that it is effectively meeting its statutory requirements.
In addition, GAO identified factors that impede NCCIC's ability to more efficiently perform several of its cybersecurity functions. For example, NCCIC officials were unable to completely track and consolidate cyber incidents reported to the center, thereby inhibiting its ability to coordinate the sharing of information across the government. Similarly, NCCIC may not have ready access to the current contact information for all owners and operators of the most critical cyber-dependent infrastructure assets. This lack could impede timely communication with them in the event of a cyber incident. Until NCCIC takes steps to overcome these impediments, it may not be able to efficiently perform its cybersecurity functions and assist federal and nonfederal entities in identifying cyber-based threats, mitigating vulnerabilities, and managing cyber risks.
Why GAO Did This Study
Cyber-based intrusions and attacks on federal systems and systems supporting our nation's critical infrastructure, such as communications and financial services, have become more numerous, damaging, and disruptive. GAO first designated information security as a government-wide high-risk area in 1997. This was expanded to include the protection of critical cyber infrastructure in 2003 and protecting the privacy of personally identifiable information in 2015. The National Cybersecurity Protection Act of 2014 and the Cybersecurity Act of 2015 require NCCIC to perform 11 cybersecurity-related functions, including sharing information and enabling real-time actions to address cybersecurity risks and incidents at federal and non-federal entities.
The two acts also contained provisions for GAO to report on NCCIC's implementation of its cybersecurity mission. For this report, GAO assessed the extent to which the NCCIC was performing the 11 required functions. To do this, GAO analyzed relevant program documentation, interviewed officials, and conducted a non-generalizable survey of 2,792 federal and nonfederal recipients of NCCIC products and services.
Recommendations
GAO recommends nine actions to DHS for enhancing the effectiveness and efficiency of NCCIC, including to determine the applicability of the implementing principles and establish metrics and methods for evaluating performance; and address identified impediments. DHS concurred with GAO's recommendations.
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| Department of Homeland Security | To more fully address the requirements identified in the National Cybersecurity Protection Act of 2014 and the Cybersecurity Act of 2015, the Secretary of the Department of Homeland Security should determine the extent to which the statutorily required implementing principles apply to NCCIC's cybersecurity functions. |
Closed – Implemented
In September 2017, DHS provided documentation supporting its determination on the extent to which statutorily required implementing principles apply to its cybersecurity functions. Specifically, NCCIC provided output of an effort to simplify the center's mission functions, document capabilities and map implementing principles to functions, as appropriate. The resulting analysis indicates whether a principle is critical to the success of a function and the extent to which each of the 9 principles is relevant to each of the 11 functions. Based on the information provided, DHS demonstrated that it has determined the extent to which statutorily required implementing principles apply to NCCIC's cybersecurity functions.
|
| Department of Homeland Security |
Priority Rec.
To more fully address the requirements identified in the National Cybersecurity Protection Act of 2014 and the Cybersecurity Act of 2015, the Secretary of the Department of Homeland Security should develop metrics for assessing adherence to applicable principles in carrying out statutorily required functions. |
Closed – Implemented
In March 2020, we determined that for all 11 functions, DHS provided evidence to support their evaluation of compliance with five of the nine principles (#1, #2, #5, #6, and #7). At that time, we were not able to confirm evidence of evaluation of the remaining four principles (#3, #4, #8, and #9). In March 2021, DHS provided evidence of established measures to evaluate compliance with the remaining four principles. For the third and fourth principles, which are related to prioritizing activities based on level of risk and ensuring that appropriate consideration of coordination with subject matter experts from industry, academia, and national labs, respectively, DHS identified specific measures that evaluate compliance of each of the 11 functions. For the eighth and ninth principles, related to safeguarding against unauthorized access and compliance with policies, regulations, and laws related to privacy and civil liberties, DHS stated that they are a steady state consideration across all mission areas and functions and have no associated identified measure. Based on the information provided DHS demonstrated that it has developed metrics for assessing adherence to applicable principles in carrying out statutorily required functions.
|
| Department of Homeland Security |
Priority Rec.
To more fully address the requirements identified in the National Cybersecurity Protection Act of 2014 and the Cybersecurity Act of 2015, the Secretary of the Department of Homeland Security should establish methods for monitoring the implementation of cybersecurity functions against the principles on an ongoing basis. |
Closed – Implemented
In March 2021, DHS provided evidence of metrics developed to assess how its 11 statutorily required functions are performed in adherence with all nine applicable implementing principles (recommendation 2). In July 2021, DHS provided Quarterly Performance Review (QPR) reports from each of the first three quarters of fiscal year 2021. DHS officials stated the QPR is generated and presented to Cybersecurity and Infrastructure Agency (CISA) management, including the Deputy Director, as well as all divisions and managed service offices. Each QPR contains the aforementioned metrics that evaluated the compliance of cybersecurity functions with principles, and is organized to align with and the objectives and sub-objectives outlined in CISA's August 2019 Strategic Intent document. These objectives include Cyber Defense, Incident Communication, and Critical Infrastructure Resilience and Capacity building.
|
| Department of Homeland Security | To more fully address the requirements identified in the National Cybersecurity Protection Act of 2014 and the Cybersecurity Act of 2015, the Secretary of the Department of Homeland Security should integrate information related to security incidents to provide management with more complete information about NCCIC operations. |
Closed – Implemented
In November 2018, DHS invited GAO to observe a vendor's demonstration of the anticipated Unified Workflow Solution (UWS) that officials stated could support closure of this recommendation, when implemented. In February 2020, DHS stated that their planning and design efforts for UWS were ongoing. In April 2021, DHS stated that they identified minor enhancements to UWS functionality that were in the process of being implemented. In June 2021, DHS invited GAO to observe a demonstration of the updated UWS functionality, such as the ability to link to Common Vulnerabilities and Exposures (CVE) a database of publicly known cybersecurity vulnerabilities and capability to send alerts to the appropriate officials. In April 2022, DHS provided evidence of recurring management meetings during which security information was aggregated and shared with management. Specifically, officials provided detailed agenda documentation from daily and weekly communication disseminated to the head of the Cybersecurity Division (CSD) as well as the division heads and senior staff of all 7 cybersecurity-focused sub-divisions. These interactions provided an opportunity for officials to discuss operation priorities, including those related to security, across the various components of CSD.
|
| Department of Homeland Security | To more fully address the requirements identified in the National Cybersecurity Protection Act of 2014 and the Cybersecurity Act of 2015, the Secretary of the Department of Homeland Security should determine the necessity of reducing, consolidating, or modifying the points of entry used to communicate with NCCIC to better ensure that all incident tickets are logged appropriately. |
Closed – Implemented
In April 2021, DHS stated that the Automated Indicator Sharing (AIS) onboarding workflow was in process and the Vulnerability Management (VM) Disclosures would be in production by the end of the month. Officials stated the latter of the two systems is intended to migrate existing workflows into a single platform to avoid manual data entry. In June 2021, DHS invited GAO to observe a demonstration of the Unified Workflow Solution (UWS) that officials stated could support closure of this recommendation. In the demonstration, DHS showed that they had consolidated functionality from legacy systems, such as the AIS onboarding process and the VM Disclosure process, into the UWS. Based on what we observed during the demonstration, DHS has shown that with the full implementation of UWS, the agency has determined the necessity of reducing, consolidating, and modifying the points of entry used to communicate with the NCCIC.
|
| Department of Homeland Security | To more fully address the requirements identified in the National Cybersecurity Protection Act of 2014 and the Cybersecurity Act of 2015, the Secretary of the Department of Homeland Security should develop and implement procedures to perform regular reviews of customer information to ensure that it is current and reliable. |
Closed – Implemented
DHS officials stated they no longer rely on the customer information data set that we analyzed during the course of our review. DHS now uses the Homeland Security Information Network (HSIN), which provides an information-sharing "network of trust" service designed to meet the sensitive but unclassified information sharing requirements of the homeland security enterprise. HSIN is comprised of various communities of interest, which provides information to users at various levels of sensitivity based on their specific needs. Though DHS does not regularly review customer information supporting HSIN, they have instituted mechanisms to ensure the information they do have is current and reliable. For instance, DHS official stated that users cannot register for a HSIN account with a commercial web address (e.g., Gmail, Yahoo, Verizon). Additionally, the HSIN terms of service state that accounts are deactivated after 365 days of inactivity.
|
| Department of Homeland Security | To more fully address the requirements identified in the National Cybersecurity Protection Act of 2014 and the Cybersecurity Act of 2015, the Secretary of the Department of Homeland Security should take steps to ensure the full representation of the owners and operators of the nation's most critical cyber-dependent infrastructure assets. |
Closed – Implemented
In November 2019, DHS stated that no alerts are sent solely to owners and operators of the nation's most critical cyber-dependent infrastructure assets (i.e. Section 9 entities). However, the agency stated these entities receive cybersecurity information through mechanisms such as the Homeland Security Information Network (HSIN) Communities of Interest, the Cyber Information Sharing and Collaboration Program (CISCP) program, the applicable Sector Specific Agencies and the applicable Information Sharing and Analysis Centers in their respective sectors. In March 2021, DHS stated that they are cross-referencing the entities on the Section 9 list against the membership of the aforementioned information sharing mechanisms. In May 2021, DHS provided us with the results of their analysis highlighting the members of the Section 9 list that participated in five information-sharing mechanisms, including HSIN and CISCP. In July 2021, GAO met with representatives from each of the five information sharing mechanisms identified in the analysis and observed evidence (e.g. formalized agreements, email exchanges, etc.) of an established relationship between DHS and the various Section 9 entities.
|
| Department of Homeland Security | To more fully address the requirements identified in the National Cybersecurity Protection Act of 2014 and the Cybersecurity Act of 2015, the Secretary of the Department of Homeland Security should establish plans and time frames for consolidating or integrating the legacy networks used by NCCIC analysts to reduce the need for manual data entry. |
Closed – Implemented
In November 2019, DHS stated that the legacy Help Desk and operational activity tracking tools continue to be assessed and requirements identified for configuration into the Unified Workflow Solution (UWS). In April 2021, DHS stated that the UWS is now operational and used daily by the CISA COVID-19 Task Force to support operations and that they are working with mission stakeholders to retire additional legacy systems used across DHS Cybersecurity Division. In June 2021, DHS invited GAO to observe a demonstration of the UWS. In the demonstration, DHS showed that the platform does operate in the manner described and that they have established plans and timeframes for consolidating and integrating the legacy networks used by NCCIC analysts to reduce the need for manual data entry.
|
| Department of Homeland Security | To more fully address the requirements identified in the National Cybersecurity Protection Act of 2014 and the Cybersecurity Act of 2015, the Secretary of the Department of Homeland Security should identify alternative methods to collaborate with international partners, while ensuring the security requirements of high-impact systems. |
Closed – Implemented
In September 2017, DHS reported that its high-impact system, the Homeland Security Information Network (HSIN), continues to support its security requirements which would impact NCCIC's ability to collaborate with its international partners. DHS NCICC reported and provided evidence that it had completed and finalized the Contingency Incident Related Communications Plan for International Cybersecurity Centers, which documents alternative methods and processes by which NCCIC communicates with international partners. As a result, we consider this recommendation to be closed and implemented.
|