Cybersecurity: Progress Made but Challenges Remain in Defining and Coordinating the Comprehensive National Initiative
Highlights
In response to the ongoing threats to federal systems and operations posed by cyber attacks, President Bush established the Comprehensive National Cybersecurity Initiative (CNCI) in 2008. This initiative consists of a set of projects aimed at reducing vulnerabilities, protecting against intrusions, and anticipating future threats. GAO was asked to determine (1) what actions have been taken to develop interagency mechanisms to plan and coordinate CNCI activities and (2) what challenges CNCI faces in achieving its objectives related to securing federal information systems. To do this, GAO reviewed CNCI plans, policies, and other documentation and interviewed officials at the Office of Management and Budget (OMB), Department of Homeland Security, and the Office of the Director of National Intelligence (ODNI), among other agencies. GAO also reviewed studies examining aspects of federal cybersecurity and interviewed recognized cybersecurity experts.
The White House and federal agencies have taken steps to plan and coordinate CNCI activities by establishing several interagency working groups. These include the National Cyber Study Group, which carried out initial brainstorming and information-gathering for the establishment of the initiative; the Communications Security and Cyber Policy Coordinating Committee, which presented final plans to the President and coordinated initial implementation activities; and the Joint Interagency Cyber Task Force, which serves as the focal point for monitoring and coordinating projects and enabling the participation of both intelligence-community and nonintelligence- community agencies. These groups have used a combination of status meetings and other reporting mechanisms to track implementation of projects. CNCI faces several challenges in meeting its objectives: (1) Defining roles and responsibilities. Federal agencies have overlapping and uncoordinated responsibilities for cybersecurity, and it is unclear where overall responsibility for coordination lies. (2) Establishing measures of effectiveness. The initiative has not yet developed measures of the effectiveness in meeting its goals. While federal agencies have begun to develop effectiveness measures for information security, these have not been applied to the initiative. (3) Establishing an appropriate level of transparency. Few of the elements of CNCI have been made public, and the rationale for classifying related information remains unclear, hindering coordination with private sector entities and accountability to the public. (4) Reaching agreement on the scope of educational efforts. Stakeholders have yet to reach agreement on whether to address broad education and public awareness as part of the initiative, or remain focused on the federal cyber workforce. Until these challenges are adequately addressed, there is a risk that CNCI will not fully achieve its goal to reduce vulnerabilities, protect against intrusions, and anticipate future threats against federal executive branch information systems. The federal government also faces strategic challenges beyond the scope of CNCI in securing federal information systems: (1) Coordinating actions with international entities. The federal government does not have a formal strategy for coordinating outreach to international partners for the purposes of standards setting, law enforcement, and information sharing. (2) Strategically addressing identity management and authentication. Authenticating the identities of persons or systems seeking to access federal systems remains a significant governmentwide challenge. However, the federal government is still lacking a fully developed plan for implementation of identity management and authentication efforts.
Recommendations
Recommendations for Executive Action
Agency Affected | Recommendation | Status |
---|---|---|
Office of Management and Budget | To address challenges that CNCI faces in achieving its objectives related to securing federal information systems, the Director of OMB should better define roles and responsibilities of all key CNCI participants, such as the National Cyber Security Center, to ensure that essential governmentwide cybersecurity activities are fully coordinated. |
The Office of Management and Budget (OMB) disagreed with this recommendation, stating that they believed that specific agency roles and responsibilities for the Comprehensive National Cybersecurity Initiative (CNCI) initiatives had been defined. OMB has not subsequently taken further action to better define agency roles and responsibilities for the CNCI initiatives.
|
Office of Management and Budget | To address challenges that CNCI faces in achieving its objectives related to securing federal information systems, the Director of OMB should establish measures to determine the effectiveness of CNCI projects in making federal information systems more secure and track progress against those measures. |
In February 2012, DHS, under overall direction from OMB and in collaboration with the Federal CIO Council and several other organizations, issued reporting metrics for the Federal Information Security Management Act (FISMA) that address our recommendation. The metrics included questions that were intended to establish current agency performance against which future performance could be measured and to determine whether future performance measures were needed. These metrics allow OMB to determine the effectiveness of federal agency efforts, including those associated with Comprehensive National Cybersecurity Initiative (CNCI), for making federal information systems more secure and allow OMB to track progress against those measures from year to year.
|
Office of Management and Budget | To address challenges that CNCI faces in achieving its objectives related to securing federal information systems, the Director of OMB should establish an appropriate level of transparency about CNCI by clarifying the rationale for classifying information, ensuring that as much information is made public as is appropriate, and providing justification for withholding information from the public. |
To establish an appropriate level of transparency for its CNCI project, OMB has made information regarding the Comprehensive National Cybersecurity Initiative (CNCI) publicly available on its website. CNCI-related information provides summary description of each initiaitve, such as managing the federal enterptise network as a single network enterprise with trusted Internet connections and deploying an intrusion detection system of across the federal enterprise. These descriptions provide a high-level summary of the initiative, responsible parties for implementing the inititative, and the imapact of the initiative.
|
Office of Management and Budget | To address challenges that CNCI faces in achieving its objectives related to securing federal information systems, the Director of OMB should reach agreement on the scope of CNCI's education projects to ensure that an adequate cadre of skilled personnel is developed to protect federal information systems. |
The Comprehensive National Cybersecurity Initiative (CNCI) education projects have been collected into the National Initiative for Cybersecurity Education (NICE), created in 2010. The goal of the program is to establish cybersecurity education program for the nation through 4 distinct tracts to enhance the nation's security, including, public service announcements, k-12 education programs, attracting the right skill sets into government postitions, and training the current federal workforce.
|
Office of Management and Budget | To address strategic challenges in areas that are not the subject of existing projects within CNCI but remain key to achieving the initiative's overall goal of securing federal information systems, the Director of OMB should establish a coordinated approach for the federal government in conducting international outreach to address cybersecurity issues strategically. |
An international strategy that is to coordinate the approach for the federal government was issued in 2011, entitled "International Strategy for Cyberspace". This strategy discusses the governments objectives and goals for reaching out internationally.
|
Office of Management and Budget | To address strategic challenges in areas that are not the subject of existing projects within CNCI but remain key to achieving the initiative's overall goal of securing federal information systems, the Director of OMB should continue development of a strategic approach to identity management and authentication, linked to HSPD-12 implementation, as initially described in the Chief Information Officiers Council's plan for implementing federal identity, credential, and access management, so as to provide greater assurance that only authorized individuals and entities can gain access to federal information systems. |
In February 2011, OMB released memorandum M-11-11, which requires that federal agencies align with the architecture and guidance provided in the Federal Identity, Credential, and Access Management (FICAM) Roadmap and Implementation Guidance and further recognized the importance of the FICAM segment architecture to successfully continuing implementation of HSPD-12. In December 2011, the Federal Chief Information Officers Council released a revision of the Federal Identity, Credential, and Access Management Roadmap and Implementation Guidance that addresses our recommendation. The revised guidance included new implementation guidance for identity, credential, and access management that addressed the following areas: Implement Federated Identity Capability, Fully Leveraging PIV and PIV-I Credentials, ICAM Implementation Planning, and Transition Roadmap and Milestones. These documents provided a governmentwide implementation plan for identity management and authentication efforts linked to HSPD-12.
|