Auditors Fault Slow Progress On Government Cybersecurity

The federal government is making progress in implementing the cybersecurity policy recommendations laid out by the White House in a 2009 review, but needs to better define agency roles and responsibilities and establish firmer implementation schedules, according to a report by Congressional auditors.

The Government Accountability Office report finds that, more than a year after the review was issued, the administration has fully implemented only two of the 24 recommendations in last year's Cyberspace Policy Review, although it has at least partially implemented the other 22.

Officials with the Department of Defense, Department of Homeland Security, and Office of Management and Budget (three of the agencies with broad cybersecurity responsibilities) told the GAO that agencies are moving slowly on some of these recommendations because they haven't been assigned specific roles or responsibilities, and attributed that to a seven-month vacancy in the White House's top cybersecurity position, cybersecurity coordinator, immediately after the policy review's release.

The GAO also found that many of the near-term and mid-term recommendations outlined by the policy review do not yet have milestones or implementation plans associated with them.

"Until roles and responsibilities are made clear and the schedule and planning shortfalls identified above are adequately addressed, there is increased risk the recommendations will not be successfully completed, which would unnecessarily place the country's cyber infrastructure at risk," the report said.

The two recommendations that have been fully implemented both involve appointments of officials. The review recommended the appointment of a policy official within the National Security Council responsible for coordinating national cyber policy, and Howard Schmidt was later appointed as cybersecurity coordinator. In addition, the review recommended appointment of a privacy and civil liberties official, who was appointed in late 2009.

The report serves as a bit of a progress update on the other recommendations. For example, it notes that, pursuant to a recommendation to build a civil liberties-sensitive, cybersecurity-based ID management vision and strategy, the government plans to finalize the National Strategy for Trusted Identities this month.

In terms of a cybersecurity research and development framework, meanwhile, the White House Office of Science and Technology Policy expects to finalize its work there by next year. The report also notes that OMB plans to establish cybersecurity performance metrics by November.