Coordination of Federal Cyber Security Research and Development
GAO-06-811: Published: Sep 29, 2006. Publicly Released: Oct 31, 2006.
Research and development (R&D) of cyber security technology is essential to creating a broader range of choices and more robust tools for building secure, networked computer systems in the federal government and in the private sector. The National Strategy to Secure Cyberspace identifies national priorities to secure cyberspace, including a federal R&D agenda. GAO was asked to identify the (1) federal entities involved in cyber security R&D; (2) actions taken to improve oversight and coordination of federal cyber security R&D, including developing a federal research agenda; and (3) methods used for technology transfer at agencies with significant activities in this area. To do this, GAO examined relevant laws, policies, budget documents, plans, and reports.
Several federal entities are involved in federal cyber security research and development. The Office of Science and Technology Policy and OMB establish high-level research priorities. The Office of Science and Technology Policy is to coordinate the development of a federal research agenda for cyber security and oversee the National Science and Technology Council, which prepares R&D strategies that are to be coordinated across federal agencies. The Council operates through its committees, subcommittees, and interagency working groups, which oversee and coordinate activities related to specific science and technology disciplines. The Subcommittee on Networking and Information Technology Research and Development and the Cyber Security and Information Assurance Interagency Working Group are prominently involved in the coordination of cyber security research. In addition, other groups provide mechanisms for coordination of R&D efforts on an informal basis. The National Science Foundation and the Departments of Defense and Homeland Security fund much of this research. Federal entities have taken several important steps to improve the oversight and coordination of federal cyber security R&D, although limitations remain. Actions taken include chartering an interagency working group to focus on cyber security research, publishing a federal plan for guiding this research, reporting budget information for this research separately, and maintaining repositories of information on R&D projects. However, a federal cyber security research agenda has not been developed as recommended in the National Strategy to Secure Cyberspace and the federal plan did not fully address certain key elements. Further, the repositories do not contain information about all of the federally funded cyber security research projects in part because OMB had not issued guidance to ensure that agencies provided all information required for the repositories. As a result, information needed for oversight and coordination of cyber security research activities was not readily available. Federal agencies use a variety of methods for sharing the results of cyber security research with federal and private organizations (technology transfer), including sharing information through agency Web sites. Other methods include relying on the researcher to disseminate information about his or her research, attending conferences and workshops, working with industry to share information about emerging threats and research, and publishing journals to help facilitate information sharing.
Recommendations for Executive Action
Status: Closed - Not Implemented
Comments: As stated in a recent GAO report on cybersecurity R&D challenges (GAO-10-466), OSTP has not yet created a prioritized national or federal R&D agenda. As such, we recommended that OSTP establish a comprehensive national R&D agenda that, among other things, contains priorities for short-term, mid-term, and long-term complex cybersecurity R&D.
Recommendation: To strengthen cyber security research and development programs, the Director of the Office of Science and Technology Policy should establish firm timelines for the completion of the federal cyber security R&D agenda that includes near-term, mid-term, and long-term research. Such an agenda should include (1) timelines and milestones for conducting research and development activities; (2) goals and measures for evaluating research and development activities; (3) assignment of responsibility for implementation, including the accomplishment of the focus areas and suggested research priorities; and (4) the alignment of funding priorities with technical priorities.
Agency Affected: Executive Office of the President: Office of Science and Technology Policy
Status: Closed - Not Implemented
Comments: OMB has not implemented this recommendation. Specifically, in 2008, the RaDiUS database, which was intended to be the primary repository for tracking research and development projects, was decommissioned. According to a senior official at NSF, the data in RaDiUS were incomplete, users had difficulty using it, and the database was built with antiquated technology. In August 2010, OMB officials stated that they are currently evaluating several repositories to replace RaDiUS as a centralized database to house all government-funded R&D programs, including cybersecurity R&D. Officials anticipate selecting a repository by January 2011.
Recommendation: The Director of the Office of Management and Budget should issue guidance to agencies on reporting information about federally funded cyber security R&D projects to the governmentwide repositories.
Agency Affected: Executive Office of the President: Office of Management and Budget