Cybersecurity:

DHS's National Integration Center Generally Performs Required Functions but Needs to Evaluate Its Activities More Completely

GAO-17-163: Published: Feb 1, 2017. Publicly Released: Feb 1, 2017.

Additional Materials:

Contact:

Gregory C. Wilshusen
(202) 512-6244
wilshuseng@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

What GAO Found

The National Cybersecurity and Communications Integration Center (NCCIC) of the Department of Homeland Security (DHS) has taken steps to perform each of its 11 statutorily required cybersecurity functions, such as being a federal civilian interface for sharing cybersecurity-related information with federal and nonfederal entities. It manages several programs that provide data used in developing 43 products and services in support of the functions. The programs include monitoring network traffic entering and exiting federal agency networks and analyzing computer network vulnerabilities and threats. The products and services are provided to its customers in the private sector; federal, state, local, tribal, and territorial government entities; and other partner organizations. For example, NCCIC issues indicator bulletins, which can contain information related to cyber threat indicators, defensive measures, and cybersecurity risks and incidents and help to fulfill its function to coordinate the sharing of such information across the government.

The National Cybersecurity Protection Act also required NCCIC to carry out its functions in accordance with nine implementing principles, to the extent practicable. However, the extent to which NCCIC adhered to the 9 principles when performing the functions is unclear because the center has not yet determined the applicability of the principles to all 11 functions, or established metrics and methods by which to evaluate its performance against the principles. GAO identified instances where NCCIC had implemented its functions in accordance with one or more of the principles. For example, consistent with the principle that it seek and receive appropriate consideration from industry sector-specific, academic, and national laboratory expertise, NCCIC coordinated with contacts from industry, academia, and the national laboratories to develop and disseminate vulnerability alerts. On the other hand, GAO also identified instances where the cybersecurity functions were not performed in accordance with the principles. For example, NCCIC is to provide timely technical assistance, risk management support, and incident response capabilities to federal and nonfederal entities; however, it had not established measures or other procedures for ensuring the timeliness of these assessments. Until NCCIC determines the applicability of the principles to its functions and develops metrics and methods to evaluate its performance against the principles, the center cannot ensure that it is effectively meeting its statutory requirements.

In addition, GAO identified factors that impede NCCIC's ability to more efficiently perform several of its cybersecurity functions. For example, NCCIC officials were unable to completely track and consolidate cyber incidents reported to the center, thereby inhibiting its ability to coordinate the sharing of information across the government. Similarly, NCCIC may not have ready access to the current contact information for all owners and operators of the most critical cyber-dependent infrastructure assets. This lack could impede timely communication with them in the event of a cyber incident. Until NCCIC takes steps to overcome these impediments, it may not be able to efficiently perform its cybersecurity functions and assist federal and nonfederal entities in identifying cyber-based threats, mitigating vulnerabilities, and managing cyber risks.

Why GAO Did This Study

Cyber-based intrusions and attacks on federal systems and systems supporting our nation's critical infrastructure, such as communications and financial services, have become more numerous, damaging, and disruptive. GAO first designated information security as a government-wide high-risk area in 1997. This was expanded to include the protection of critical cyber infrastructure in 2003 and protecting the privacy of personally identifiable information in 2015. The National Cybersecurity Protection Act of 2014 and the Cybersecurity Act of 2015 require NCCIC to perform 11 cybersecurity-related functions, including sharing information and enabling real-time actions to address cybersecurity risks and incidents at federal and non-federal entities.

The two acts also contained provisions for GAO to report on NCCIC's implementation of its cybersecurity mission. For this report, GAO assessed the extent to which the NCCIC was performing the 11 required functions. To do this, GAO analyzed relevant program documentation, interviewed officials, and conducted a non-generalizable survey of 2,792 federal and nonfederal recipients of NCCIC products and services.

What GAO Recommends

GAO recommends nine actions to DHS for enhancing the effectiveness and efficiency of NCCIC, including to determine the applicability of the implementing principles and establish metrics and methods for evaluating performance; and address identified impediments. DHS concurred with GAO's recommendations.

For more information, contact Gregory C. Wilshusen at (202) 512-6244 or wilshuseng@gao.gov.

Recommendations for Executive Action

  1. Status: Closed - Implemented

    Comments: In September 2017, DHS provided documentation supporting its determination on the extent to which statutorily required implementing principles apply to its cybersecurity functions. Specifically, NCCIC provided output of an effort to simplify the center's mission functions, document capabilities and map implementing principles to functions, as appropriate. The resulting analysis indicates whether a principle is critical to the success of a function and the extent to which each of the 9 principles is relevant to each of the 11 functions. Based on the information provided, DHS demonstrated that it has determined the extent to which statutorily required implementing principles apply to NCCIC's cybersecurity functions.

    Recommendation: To more fully address the requirements identified in the National Cybersecurity Protection Act of 2014 and the Cybersecurity Act of 2015, the Secretary of the Department of Homeland Security should determine the extent to which the statutorily required implementing principles apply to NCCIC's cybersecurity functions.

    Agency Affected: Department of Homeland Security

  2. Status: Open

    Priority recommendation

    Comments: In January 2018, DHS stated that they are in the process of updating NCCIC Strategic Objectives. In doing so, DHS will determine the applicability of key performance indicators (KPI) and performance targets enabling NCCIC to assess its effectiveness in achieving its mission. The target date for completion of these activities is September 2018.

    Recommendation: To more fully address the requirements identified in the National Cybersecurity Protection Act of 2014 and the Cybersecurity Act of 2015, the Secretary of the Department of Homeland Security should develop metrics for assessing adherence to applicable principles in carrying out statutorily required functions.

    Agency Affected: Department of Homeland Security

  3. Status: Open

    Priority recommendation

    Comments: In January 2018, DHS stated that it is in the process of updating NCCIC Strategic Objectives. DHS reported that it will align and verify each of its programs goals and reestablish performance reviews to ensure mission effectiveness. The target date for completion of these activities is September 2018.

    Recommendation: To more fully address the requirements identified in the National Cybersecurity Protection Act of 2014 and the Cybersecurity Act of 2015, the Secretary of the Department of Homeland Security should establish methods for monitoring the implementation of cybersecurity functions against the principles on an ongoing basis.

    Agency Affected: Department of Homeland Security

  4. Status: Open

    Comments: In June 2017, DHS stated that it was taking steps to enable the successful implementation of the new National Cyber Incident Scoring Schema (NCISS), which is intended to aid NCCIC Watch Operations in helping facilitate the timely, actionable, and relevant dissemination of information to leadership. In September 2017, DHS provided evidence indicating that the NCISS guidelines were incorporated into the incident reporting systems. Based on the information provided, we plan to validate the extent of implementation through additional observation.

    Recommendation: To more fully address the requirements identified in the National Cybersecurity Protection Act of 2014 and the Cybersecurity Act of 2015, the Secretary of the Department of Homeland Security should integrate information related to security incidents to provide management with more complete information about NCCIC operations.

    Agency Affected: Department of Homeland Security

  5. Status: Open

    Comments: In January 2018, NCCIC reported collaborating with the Network System Deployment (NSD) on the development and deployment of a Unified Workflow Information System. DHS reported that this system is intended to serve as NCCIC's central data system for stakeholder ticket creation and tracking. We will review the output of Unified Workflow Information System's development process once the system is implemented.

    Recommendation: To more fully address the requirements identified in the National Cybersecurity Protection Act of 2014 and the Cybersecurity Act of 2015, the Secretary of the Department of Homeland Security should determine the necessity of reducing, consolidating, or modifying the points of entry used to communicate with NCCIC to better ensure that all incident tickets are logged appropriately.

    Agency Affected: Department of Homeland Security

  6. Status: Open

    Comments: In January 2018, DHS reported that it has authored and finalized the NCCIC Homeland Security Information Network (HSIN)Community of Interest User Maintenance Standard Operating Procedures (SOP). The SOP indicates that user audits will be conducted on a periodic basis, to determine user activity and whether customer information is valid. DHS also reported that the NCCIC continues to gather requirements and to develop its customer relationship management (CRM) tool that will support regular reviews and updates to customer information. The CRM tool implementation is to be determined.

    Recommendation: To more fully address the requirements identified in the National Cybersecurity Protection Act of 2014 and the Cybersecurity Act of 2015, the Secretary of the Department of Homeland Security should develop and implement procedures to perform regular reviews of customer information to ensure that it is current and reliable.

    Agency Affected: Department of Homeland Security

  7. Status: Open

    Comments: In January 2018, DHS reported that the Office of Cybersecurity and Communications (CS&C) has developed a Catalog of CS&C Services as a resource to critical infrastructure partners. This guide is intended to promote NCCIC operational offerings and information sharing programs, as well as incorporate other CS&C programs and services to critical infrastructure owners and operators. However, it is unclear how the services catalog will ensure full representation of the owners and operators of the nation's most critical cyber-dependent infrastructure assets.

    Recommendation: To more fully address the requirements identified in the National Cybersecurity Protection Act of 2014 and the Cybersecurity Act of 2015, the Secretary of the Department of Homeland Security should take steps to ensure the full representation of the owners and operators of the nation's most critical cyber-dependent infrastructure assets.

    Agency Affected: Department of Homeland Security

  8. Status: Open

    Comments: In September 2017, DHS reported that CS&C had created a draft road map, which included information on DHS enterprise alignment among its components. Related to this enterprise alignment, DHS reported that it continues to develop resource requirements and a proposed schedule for network consolidation.

    Recommendation: To more fully address the requirements identified in the National Cybersecurity Protection Act of 2014 and the Cybersecurity Act of 2015, the Secretary of the Department of Homeland Security should establish plans and time frames for consolidating or integrating the legacy networks used by NCCIC analysts to reduce the need for manual data entry.

    Agency Affected: Department of Homeland Security

  9. Status: Closed - Implemented

    Comments: In September 2017, DHS reported that its high-impact system, the Homeland Security Information Network (HSIN), continues to support its security requirements which would impact NCCIC's ability to collaborate with its international partners. DHS NCICC reported and provided evidence that it had completed and finalized the Contingency Incident Related Communications Plan for International Cybersecurity Centers, which documents alternative methods and processes by which NCCIC communicates with international partners. As a result, we consider this recommendation to be closed and implemented.

    Recommendation: To more fully address the requirements identified in the National Cybersecurity Protection Act of 2014 and the Cybersecurity Act of 2015, the Secretary of the Department of Homeland Security should identify alternative methods to collaborate with international partners, while ensuring the security requirements of high-impact systems.

    Agency Affected: Department of Homeland Security

 

Explore the full database of GAO's Open Recommendations »

Mar 21, 2019

Mar 18, 2019

Mar 14, 2019

Mar 7, 2019

Feb 27, 2019

Feb 22, 2019

Feb 21, 2019

Looking for more? Browse all our products here