This report addressed (1) what actions have been taken to develop interagency mechanisms to plan and coordinate Comprehensive National Cybersecurity Initiative (CNCI) activities and (2) what challenges CNCI faces in achieving its objectives related to securing federal information systems.
These challenges include:
- Defining roles and responsibilities. Federal agencies have overlapping and uncoordinated responsibilities for cybersecurity, and it is unclear where overall responsibility for coordination lies.
- Establishing measures of effectiveness. The initiative has not yet developed measures of the effectiveness in meeting its goals. While federal agencies have begun to develop effectiveness measures for information security, these have not been applied to the initiative.
- Establishing an appropriate level of transparency. Few of the elements of CNCI have been made public, and the rationale for classifying related information remains unclear, hindering coordination with private sector entities and accountability to the public.
- Reaching agreement on the scope of educational efforts. Stakeholders have yet to reach agreement on whether to address broad education and public awareness as part of the initiative, or remain focused on the federal cyber workforce.
- better define roles and responsibilities of all key CNCI participants, such as the National Cyber Security Center, to ensure that essential government-wide cybersecurity activities are fully coordinated;
- establish measures to determine the effectiveness of CNCI projects in making federal information systems more secure and track progress against those measures;
- establish an appropriate level of transparency about CNCI by clarifying the rationale for classifying information, ensuring that as much information is made public as is appropriate, and providing justification for withholding information from the public; and
- reach agreement on the scope of CNCI’s education projects to ensure that an adequate cadre of skilled personnel is developed to protect federal information systems.