CybersecurityU.S. implements president's cybersecurity recommendations

The Government Accountability Office (GAO) reports that the executive branch has made progress implementing the president 2009 cybersecurity Policy Review Recommendations, but that sustained leadership is needed.

The GAO found that of the twenty-four recommendations in the president’s May 2009 cyber policy review report, two have been fully implemented, and twenty-two have been partially implemented. The two fully implemented recommendations involve appointing within the National Security Council (NSC) a cybersecurity policy official (Special Assistant to the President and Cybersecurity Coordinator) responsible for coordinating the U.S. cybersecurity policies and activities, and a privacy and civil liberties official. Examples of partially implemented recommendations include:

• Build a cybersecurity-based identity management vision and strategy that addresses privacy and civil liberties, leveraging privacy-enhancing technologies for the nation: In June 2010, the administration released a draft strategy (entitled National Strategy for Trusted Identities in Cyberspace) that seeks to increase trust associated with the identities of individuals, organizations, services, and devices involved in financial and other types of online transactions, as well as address privacy and civil liberty issues associated with identity management. It plans to finalize the strategy in October 2010.
• Develop a framework for research and development strategies: The administration’s Office of Science and Technology Policy (which is within the Executive Office of the President) has efforts under way to develop a framework for research and development strategies, which as currently envisioned includes three key cybersecurity research and development themes, but is not expected to be finalized until 2011.

Officials from key agencies involved in these cybersecurity efforts (for example, the Departments of Defense and Homeland Security and the Office of Management and Budget) attribute the partial implementation status of the 22 recommendations in part to the fact that agencies are moving slowly because they have not been assigned roles and responsibilities with regard to recommendation implementation. Specifically, although the policy review report calls for the cybersecurity policy official to assign roles and responsibilities, agency officials stated they have yet to receive this tasking and attribute this to the fact that the cybersecurity policy official position was vacant for 7 months. GAO notes that in addition, officials stated that several mid-term recommendations are broad in nature, and agencies state they will require action over multiple years before they are fully implemented. This notwithstanding, federal agencies reported they have efforts planned or under way that are aimed toward implementing the twenty-two partially implemented recommendations. While these efforts appear to be steps forward, agencies were largely not able to provide milestones and plans that showed when and how implementation of the recommendations was to occur. Specifically, sixteen of the twenty-two near- and mid-term recommendations did not have milestones and plans for implementation. Consequently, until roles and responsibilities are made clear and the schedule and planning shortfalls identified above are adequately addressed, there is increased risk the recommendations will not be successfully completed, which would unnecessarily place the country’s cyber infrastructure at risk.