Cybersecurity:

Clarity of Leadership Urgently Needed to Fully Implement the National Strategy

GAO-20-629: Published: Sep 22, 2020. Publicly Released: Sep 22, 2020.

Multimedia:

  • PODCAST: Implementing a National Cybersecurity Strategy

    Increasingly-sophisticated cyberthreats have underscored the need to strengthen the federal government's role in protecting critical infrastructure. These threats pose serious challenges to our economy, as well as our national security and your personal privacy. So, what is the federal government doing to prepare and protect against these threats? We talk with GAO's Nick Marinos, an expert on cybersecurity and data protection, and a director in our Information Technology and Cybersecurity Team.

    View the transcript

Additional Materials:

Contact:

Nick Marinos
(202) 512-9342
marinosn@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

Increasingly sophisticated threats underscore the need to bolster the cybersecurity of the nation—a topic on our High Risk List.

We and others have noted an urgent need to clearly define a central leadership role to coordinate government efforts. Despite the issuance of a National Cyber Strategy in 2018, it is still unclear which executive branch official is ultimately responsible for not only coordinating implementation of the strategy, but also holding federal agencies accountable once activities are implemented.

We recommended ways to better oversee the strategy and suggested that Congress consider legislation to designate a leader.

A padlock resting on a computer keyboard.

Multimedia:

  • PODCAST: Implementing a National Cybersecurity Strategy

    Increasingly-sophisticated cyberthreats have underscored the need to strengthen the federal government's role in protecting critical infrastructure. These threats pose serious challenges to our economy, as well as our national security and your personal privacy. So, what is the federal government doing to prepare and protect against these threats? We talk with GAO's Nick Marinos, an expert on cybersecurity and data protection, and a director in our Information Technology and Cybersecurity Team.

    View the transcript

Additional Materials:

Contact:

Nick Marinos
(202) 512-9342
marinosn@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

What GAO Found

Federal entities have a variety of roles and responsibilities for supporting efforts to enhance the cybersecurity of the nation. Among other things, 23 federal entities have roles and responsibilities for developing policies, monitoring critical infrastructure protection efforts, sharing information to enhance cybersecurity across the nation, responding to cyber incidents, investigating cyberattacks, and conducting cybersecurity-related research. To fulfill their roles and responsibilities, federal entities identified activities undertaken in support of the nation's cybersecurity. For example, National Security Council (NSC) staff, on behalf of the President, and the National Institute of Standards and Technology, have developed policies, strategies, standards, and plans to guide cybersecurity efforts. The Department of Homeland Security has helped secure the nation's critical infrastructure through developing security policy and coordinating security initiatives, among other efforts. Other agencies have established initiatives to gather intelligence and share actual or possible cyberattack information. Multiple agencies have mechanisms in place to assist in responding to cyberattacks, and law enforcement components, including the Federal Bureau of Investigation, are responsible for investigating them.

The White House's September 2018 National Cyber Strategy and the NSC's accompanying June 2019 Implementation Plan detail the executive branch's approach to managing the nation's cybersecurity. When evaluated together, these documents addressed several of the desirable characteristics of national strategies, but lacked certain key elements for addressing others.

National Cyber Strategy and Implementation Plan are Missing Desirable Characteristics of a National Strategy

Characteristic

Cyber Strategy and Plan Coverage of Issue

Purpose, scope, and methodology

Addressed

Organizational roles, responsibilities, and coordination

Addressed

Integration and implementation

Addressed

Problem definition and risk assessment

Did not fully address

Goals, subordinate objectives, activities, and performance measures

Did not fully address

Resources, investments, and risk management

Did not fully address

Source: GAO analysis of 2018 National Cyber Strategy and 2019 Implementation Plan . | GAO-20-629

For example, the Implementation Plan details 191 activities that federal entities are to undertake to execute the priority actions outlined in the National Cyber Strategy. These activities are assigned a level, or tier, based on the coordination efforts required to execute the activity and the extent to which NSC staff is expected to be involved. Thirty-five of these activities are designated as the highest level (tier 1), and are coordinated by a functional entity within the NSC . Ten entities are assigned to lead or co-lead these critical activities while also tasked to lead or co-lead lower tier activities.

Leadership Roles for Federal Entities Assigned as Leads or Co-Leads for National Cyber Strategy Implementation Plan Activities

Entity

Tier 1 Activities

Tier 2 Activities

Tier 3 Activities

National Security Council

15

7

3

Department of Homeland Security

14

19

15

Office of Management and Budget

7

6

5

Department of Commerce

5

9

35

Department of State

2

5

11

Department of Defense

1

6

17

Department of Justice

1

10

5

Department of Transportation

1

0

5

Executive Office of the President

1

0

0

General Services Administration

1

2

1

Source: GAO analysis of 2018 National Cyber Strategy and 2019 Implementation Plan . | GAO-20-629

Although the Implementation Plan defined the entities responsible for leading each of the activities; it did not include goals and timelines for 46 of the activities or identify the resources needed to execute 160 activities. Additionally, discussion of risk in the National Cyber Strategy and Implementation Plan was not based on an analysis of threats and vulnerabilities. Further, the documents did not specify a process for monitoring agency progress in executing Implementation Plan activities. Instead, NSC staff stated that they performed periodic check-ins with responsible entities, but did not provide an explanation or definition of specific level of NSC staff involvement for each of the three tier designations. Without a consistent approach to engaging with responsible entities and a comprehensive understanding of what is needed to implement all 191 activities, the NSC will face challenges in ensuring that the National Cyber Strategy is efficiently executed.

GAO and others have reported on the urgency and necessity of clearly defining a central leadership role in order to coordinate the government's efforts to overcome the nation's cyber-related threats and challenges. The White House identified the NSC staff as responsible for coordinating the implementation of the National Cyber Strategy . However, in light of the elimination of the White House Cybersecurity Coordinator position in May 2018, it remains unclear which official ultimately maintains responsibility for not only coordinating execution of the Implementation Plan , but also holding federal agencies accountable once activities are implemented. NSC staff stated responsibility for duties previously attributed to the White House Cyber Coordinator were passed to the senior director of NSC's Cyber directorate; however, the staff did not provide a description of what those responsibilities include. NSC staff also stated that federal entities are ultimately responsible for determining the status of the activities that they lead or support and for communicating implementation status to relevant NSC staff. However, without a clear central leader to coordinate activities, as well as a process for monitoring performance of the Implementation Plan activities, the White House cannot ensure that entities are effectively executing their assigned activities intended to support the nation's cybersecurity strategy and ultimately overcome this urgent challenge.

Why GAO Did This Study

Increasingly sophisticated cyber threats have underscored the need to manage and bolster the cybersecurity of key government systems and the nation's cybersecurity. The risks to these systems are increasing as security threats evolve and become more sophisticated. GAO first designated information security as a government-wide high-risk area in 1997. This was expanded to include protecting cyber critical infrastructure in 2003 and protecting the privacy of personally identifiable information in 2015. In 2018, GAO noted that the need to establish a national cybersecurity strategy with effective oversight was a major challenge facing the federal government.

GAO was requested to review efforts to protect the nation's cyber critical infrastructure. The objectives of this report were to (1) describe roles and responsibilities of federal entities tasked with supporting national cybersecurity, and (2) determine the extent to which the executive branch has developed a national strategy and a plan to manage its implementation.

To do so, GAO identified 23 federal entities responsible for enhancing the nation's cybersecurity. Specifically, GAO selected 13 federal agencies based on their specialized or support functions regarding critical infrastructure security and resilience, and 10 additional entities based on analysis of its prior reviews of national cybersecurity, relevant executive policy, and national strategy documents. GAO also analyzed the National Cyber Strategy and Implementation Plan to determine if they aligned with the desirable characteristics of a national strategy.

What GAO Recommends

GAO is making one matter for congressional consideration, that Congress should consider legislation to designate a leadership position in the White House with the commensurate authority to implement and encourage action in support of the nation's cybersecurity.

GAO is also making one recommendation to the National Security Council to work with relevant federal entities to update cybersecurity strategy documents to include goals, performance measures, and resource information, among other things. The National Security Council neither agreed nor disagreed with GAO's recommendation.

For more information, contact Nick Marinos at (202) 512-9342 or marinosn@gao.gov.

Matter for Congressional Consideration

  1. Status: Open

    Comments: When we determine what steps the Congress has taken, we will provide updated information.

    Matter: Congress should consider legislation to designate a leadership position in the White House with the commensurate authority—for example, over budgets and resources—to implement and encourage action in support of the nation's cyber critical infrastructure, including the implementation of the National Cyber Strategy. (Matter for Consideration 1)

Recommendation for Executive Action

  1. Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: The Chairman of the National Security Council, or his designee, should work with relevant federal entities to update strategy documents related to the nation's cybersecurity to better reflect desirable characteristics of a national strategy, to include:

    • an assessment of cyber-related risk, based on an analysis of the threats to, and vulnerabilities of, critical assets and operations;

    • measures of performance and formal mechanism to track progress of the execution of activities; and

    • an analysis of the cost and resources needed to implement the National Cyber Strategy. (Recommendation 1)

    Agency Affected: Executive Office of the President: National Security Council

 

Explore the full database of GAO's Open Recommendations »

Oct 15, 2020

Oct 9, 2020

Sep 21, 2020

Sep 17, 2020

Sep 16, 2020

Aug 18, 2020

May 27, 2020

May 13, 2020

Apr 24, 2020

Apr 13, 2020

Looking for more? Browse all our products here