- Designing and implementing risk-based cybersecurity programs at federal agencies. Shortcomings persist in assessing risks, developing and implementing security programs, and monitoring results at federal agencies. This is due in part to the fact that agencies have not fully implemented information security programs, resulting in reduced assurance that controls are in place and operating as intended to protect their information resources.
- Establishing and identifying standards for critical infrastructures. Agencies with responsibilities for critical infrastructure have not yet identified cybersecurity guidance widely used in their respective sectors. Moreover, critical infrastructure sectors vary in the extent to which they are required by law or regulation to comply with specific cybersecurity requirements.
- Detecting, responding to, and mitigating cyber incidents. Sharing information among federal agencies and key private-sector entities remains a challenge, due to, for example, the lack of a centralized information-sharing system. In addition, the Department of Homeland Security (DHS) has yet to fully develop a capability for predictive analysis of cyber threats.
The federal cybersecurity strategy has evolved over the past decade, with the issuance of several strategy documents and other initiatives that address aspects of these challenge areas. However, there is no overarching national cybersecurity strategy that synthesizes these documents or comprehensively describes the current strategy. In addition, the government's existing strategy documents do not always incorporate key desirable characteristics GAO has identified that can enhance the usefulness of national strategies. Specifically, while existing strategy documents have included elements of these characteristics — such as setting goals and subordinate objectives — they have generally lacked other key elements.
These include milestones and performance measures to gauge results; costs of implementing the strategy and sources and types of resources needed; and a clear definition of the roles and responsibilities of federal entities. For example, although federal law assigns the Office of Management and Budget (OMB) responsibility for oversight of federal government information security, OMB recently transferred several of these responsibilities to DHS. This decision may have had practical benefits, such as leveraging additional resources and expertise, but it remains unclear how OMB and DHS are to share oversight of individual departments and agencies. Additional legislation could clarify these responsibilities. Further, without an integrated strategy that includes key characteristics, the federal government will be hindered in making further progress in addressing cybersecurity challenges.
In this report, GAO recommended that an integrated national strategy be developed that includes milestones and performance measures; costs and resources; and a clear definition of roles and responsibilities. It also stated that Congress should consider clarifying federal cybersecurity oversight roles through legislation.