Editor’s Note: GAO’s Cybersecurity Strategy report is attached here. An interview with GAO on Assessing the Nation’s Cybersecurity Strategy is available here. GAO’s Recommendations for Executive Action are below along with a matter for Congress to consider:
Recommendations for Executive Action
In order to institute a more effective framework for implementing cybersecurity activities, and to help ensure such activities will lead to progress in cybersecurity, we recommend that the White House Cybersecurity Coordinator in the Executive Office of the President develop an overarching federal cybersecurity strategy that includes all key elements of the desirable characteristics of a national strategy, including
• milestones and performance measures for major activities to address stated priorities;
• cost, sources, and justification for needed resources to accomplish stated priorities;
• specific roles and responsibilities of federal organizations related to the strategy’s stated priorities; and
• guidance, where appropriate, regarding how this strategy relates to priorities, goals, and objectives stated in other national strategy documents.
This strategy should also better ensure that federal departments and agencies are held accountable for making significant improvements in cybersecurity challenge areas, including designing and implementing risk- based programs; detecting, responding to, and mitigating cyber incidents; promoting education, awareness, and workforce planning; promoting R&D; and addressing international cybersecurity challenges. To address these issues, the strategy should (1) clarify how OMB will oversee agency implementation of requirements for effective risk management processes and (2) establish a roadmap for making significant improvements in cybersecurity challenge areas where previous recommendations have not been fully addressed.
Matter for Congressional Consideration
To address ambiguities in roles and responsibilities that have resulted from recent executive branch actions, Congress should consider legislation to better define roles and responsibilities for implementing and overseeing federal information security programs and for protecting the nation’s critical cyber assets.
Leave a Reply