Cybersecurity:

DHS's National Integration Center Generally Performs Required Functions but Needs to Evaluate Its Activities More Completely

GAO-17-163: Published: Feb 1, 2017. Publicly Released: Feb 1, 2017.

Additional Materials:

Contact:

Gregory C. Wilshusen
(202) 512-6244
wilshuseng@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

What GAO Found

The National Cybersecurity and Communications Integration Center (NCCIC) of the Department of Homeland Security (DHS) has taken steps to perform each of its 11 statutorily required cybersecurity functions, such as being a federal civilian interface for sharing cybersecurity-related information with federal and nonfederal entities. It manages several programs that provide data used in developing 43 products and services in support of the functions. The programs include monitoring network traffic entering and exiting federal agency networks and analyzing computer network vulnerabilities and threats. The products and services are provided to its customers in the private sector; federal, state, local, tribal, and territorial government entities; and other partner organizations. For example, NCCIC issues indicator bulletins, which can contain information related to cyber threat indicators, defensive measures, and cybersecurity risks and incidents and help to fulfill its function to coordinate the sharing of such information across the government.

The National Cybersecurity Protection Act also required NCCIC to carry out its functions in accordance with nine implementing principles, to the extent practicable. However, the extent to which NCCIC adhered to the 9 principles when performing the functions is unclear because the center has not yet determined the applicability of the principles to all 11 functions, or established metrics and methods by which to evaluate its performance against the principles. GAO identified instances where NCCIC had implemented its functions in accordance with one or more of the principles. For example, consistent with the principle that it seek and receive appropriate consideration from industry sector-specific, academic, and national laboratory expertise, NCCIC coordinated with contacts from industry, academia, and the national laboratories to develop and disseminate vulnerability alerts. On the other hand, GAO also identified instances where the cybersecurity functions were not performed in accordance with the principles. For example, NCCIC is to provide timely technical assistance, risk management support, and incident response capabilities to federal and nonfederal entities; however, it had not established measures or other procedures for ensuring the timeliness of these assessments. Until NCCIC determines the applicability of the principles to its functions and develops metrics and methods to evaluate its performance against the principles, the center cannot ensure that it is effectively meeting its statutory requirements.

In addition, GAO identified factors that impede NCCIC's ability to more efficiently perform several of its cybersecurity functions. For example, NCCIC officials were unable to completely track and consolidate cyber incidents reported to the center, thereby inhibiting its ability to coordinate the sharing of information across the government. Similarly, NCCIC may not have ready access to the current contact information for all owners and operators of the most critical cyber-dependent infrastructure assets. This lack could impede timely communication with them in the event of a cyber incident. Until NCCIC takes steps to overcome these impediments, it may not be able to efficiently perform its cybersecurity functions and assist federal and nonfederal entities in identifying cyber-based threats, mitigating vulnerabilities, and managing cyber risks.

Why GAO Did This Study

Cyber-based intrusions and attacks on federal systems and systems supporting our nation's critical infrastructure, such as communications and financial services, have become more numerous, damaging, and disruptive. GAO first designated information security as a government-wide high-risk area in 1997. This was expanded to include the protection of critical cyber infrastructure in 2003 and protecting the privacy of personally identifiable information in 2015. The National Cybersecurity Protection Act of 2014 and the Cybersecurity Act of 2015 require NCCIC to perform 11 cybersecurity-related functions, including sharing information and enabling real-time actions to address cybersecurity risks and incidents at federal and non-federal entities.

The two acts also contained provisions for GAO to report on NCCIC's implementation of its cybersecurity mission. For this report, GAO assessed the extent to which the NCCIC was performing the 11 required functions. To do this, GAO analyzed relevant program documentation, interviewed officials, and conducted a non-generalizable survey of 2,792 federal and nonfederal recipients of NCCIC products and services.

What GAO Recommends

GAO recommends nine actions to DHS for enhancing the effectiveness and efficiency of NCCIC, including to determine the applicability of the implementing principles and establish metrics and methods for evaluating performance; and address identified impediments. DHS concurred with GAO's recommendations.

For more information, contact Gregory C. Wilshusen at (202) 512-6244 or wilshuseng@gao.gov.

Recommendations for Executive Action

  1. Status: Closed - Implemented

    Comments: In September 2017, DHS provided documentation supporting its determination on the extent to which statutorily required implementing principles apply to its cybersecurity functions. Specifically, NCCIC provided output of an effort to simplify the center's mission functions, document capabilities and map implementing principles to functions, as appropriate. The resulting analysis indicates whether a principle is critical to the success of a function and the extent to which each of the 9 principles is relevant to each of the 11 functions. Based on the information provided, DHS demonstrated that it has determined the extent to which statutorily required implementing principles apply to NCCIC's cybersecurity functions.

    Recommendation: To more fully address the requirements identified in the National Cybersecurity Protection Act of 2014 and the Cybersecurity Act of 2015, the Secretary of the Department of Homeland Security should determine the extent to which the statutorily required implementing principles apply to NCCIC's cybersecurity functions.

    Agency Affected: Department of Homeland Security

  2. Status: Open

    Priority recommendation

    Comments: In March 2019, DHS stated that they will analyze their current performance measures, including the Agency Priority Goals Annual Performance Metrics, to identify gaps for areas where they need to develop additional measures or metrics that better assess the agency's ability to perform statutorily required functions in accordance with applicable principles. When DHS provides their analysis, we will review to determine if they have addressed this recommendation.

    Recommendation: To more fully address the requirements identified in the National Cybersecurity Protection Act of 2014 and the Cybersecurity Act of 2015, the Secretary of the Department of Homeland Security should develop metrics for assessing adherence to applicable principles in carrying out statutorily required functions.

    Agency Affected: Department of Homeland Security

  3. Status: Open

    Priority recommendation

    Comments: In March 2019, DHS stated that they are in the process of realigning the National Cybersecurity and Communications Integration Center (NCCIC) in response to the November 2018 Cybersecurity and Infrastructure Security Agency (CISA) Act. Officials stated that the functions of the NCCIC will remain the same, but they will be organized differently. DHS said that they will organize a briefing where they can explain the changes to GAO. When DHS provides information on the details of their efforts, we will review and determine how the agency has established methods for monitoring the implementation of cybersecurity functions against the principles on an ongoing basis.

    Recommendation: To more fully address the requirements identified in the National Cybersecurity Protection Act of 2014 and the Cybersecurity Act of 2015, the Secretary of the Department of Homeland Security should establish methods for monitoring the implementation of cybersecurity functions against the principles on an ongoing basis.

    Agency Affected: Department of Homeland Security

  4. Status: Open

    Comments: In November 2018, DHS invited GAO to observe a vendor's demonstration of the anticipated Unified Workflow Solution (UWS) that officials stated could support closure of this recommendation, when implemented. In March 2019, DHS officials stated that they are still working on developing the UWS, and anticipate a capability to be in place within the next 6 to 12 months. Once DHS has developed and implemented the UWS, we will review their efforts to determine the extent to which the agency has integrated information related to security incidents.

    Recommendation: To more fully address the requirements identified in the National Cybersecurity Protection Act of 2014 and the Cybersecurity Act of 2015, the Secretary of the Department of Homeland Security should integrate information related to security incidents to provide management with more complete information about NCCIC operations.

    Agency Affected: Department of Homeland Security

  5. Status: Open

    Comments: In March 2019, DHS said that they will provide GAO with a list of the entry points into the NCCIC service desk as well as the standard operating procedures (SOP) and process for quality assurance and quality control. Additionally, the development of the NCCIC Unified Workflow Solution (UWS), expected to be completed in late 2019, could impact this recommendation as well. Once DHS has provided the documents related to the NCCIC service desk as well as the SOPs, we will determine if they have fulfilled this recommendation.

    Recommendation: To more fully address the requirements identified in the National Cybersecurity Protection Act of 2014 and the Cybersecurity Act of 2015, the Secretary of the Department of Homeland Security should determine the necessity of reducing, consolidating, or modifying the points of entry used to communicate with NCCIC to better ensure that all incident tickets are logged appropriately.

    Agency Affected: Department of Homeland Security

  6. Status: Open

    Comments: In November 2018, DHS invited GAO to observe a vendor's demonstration of the anticipated Unified Workflow Solution (UWS) that officials stated could support closure of this recommendation, when implemented. In March 2019, DHS said they will provide GAO with an updated customer log along with the NCCIC customer information standard operating procedure. Once provided, we will review that information to determine if they have implemented sufficient procedures to perform regular review of customer information.

    Recommendation: To more fully address the requirements identified in the National Cybersecurity Protection Act of 2014 and the Cybersecurity Act of 2015, the Secretary of the Department of Homeland Security should develop and implement procedures to perform regular reviews of customer information to ensure that it is current and reliable.

    Agency Affected: Department of Homeland Security

  7. Status: Open

    Comments: In January 2018, DHS reported that the Office of Cybersecurity and Communications (CS&C) has developed a Catalog of CS&C Services as a resource to critical infrastructure partners. In March 2019, DHS said they will provide GAO with their updated customer log as well as the NCCIC customer information standard operating procedure. Once provided, we will review that information to determine if DHS has ensured the full representation of the owners and operators of the nation's most critical cyber-dependent infrastructure assets.

    Recommendation: To more fully address the requirements identified in the National Cybersecurity Protection Act of 2014 and the Cybersecurity Act of 2015, the Secretary of the Department of Homeland Security should take steps to ensure the full representation of the owners and operators of the nation's most critical cyber-dependent infrastructure assets.

    Agency Affected: Department of Homeland Security

  8. Status: Open

    Comments: In March of 2019 DHS said that they will provide a list of systems, networks, and analytical tools for consolidating or integrating the legacy networks used by NCCIC analysts. Once provided, we will review the information and determine if it supports the closure of this recommendation.

    Recommendation: To more fully address the requirements identified in the National Cybersecurity Protection Act of 2014 and the Cybersecurity Act of 2015, the Secretary of the Department of Homeland Security should establish plans and time frames for consolidating or integrating the legacy networks used by NCCIC analysts to reduce the need for manual data entry.

    Agency Affected: Department of Homeland Security

  9. Status: Closed - Implemented

    Comments: In September 2017, DHS reported that its high-impact system, the Homeland Security Information Network (HSIN), continues to support its security requirements which would impact NCCIC's ability to collaborate with its international partners. DHS NCICC reported and provided evidence that it had completed and finalized the Contingency Incident Related Communications Plan for International Cybersecurity Centers, which documents alternative methods and processes by which NCCIC communicates with international partners. As a result, we consider this recommendation to be closed and implemented.

    Recommendation: To more fully address the requirements identified in the National Cybersecurity Protection Act of 2014 and the Cybersecurity Act of 2015, the Secretary of the Department of Homeland Security should identify alternative methods to collaborate with international partners, while ensuring the security requirements of high-impact systems.

    Agency Affected: Department of Homeland Security

 

Explore the full database of GAO's Open Recommendations »

Oct 9, 2019

Sep 30, 2019

Sep 25, 2019

Sep 19, 2019

Sep 13, 2019

Sep 12, 2019

Sep 10, 2019

Aug 6, 2019

Looking for more? Browse all our products here