5-Year-Old Cybersecurity Plans Inadequate, GAO Says

Cybersecurity plans submitted by US federal agencies to the Office of Budget and Management (OMB) more than five years ago were mostly incomplete, congressional investigators said Monday, and OMB should direct those agencies to update and complete them now.
"The shortfalls in meeting OMB’s guidance are attributable, in part, to OMB not making these plans a priority and managing them as such by, for example, following up on a regular basis to assess whether agencies are updating their plans to fully address the requirements and are effectively implementing them," stated the Government Accountability Office in its report, Critical Infrastructure Protection: OMB Leadership Needed to Strengthen Agency Planning Efforts to Protect Federal Cyber Assets.
GAO examined the cybersecurity plans of 24 federal agencies, many of which own and operate critical cyber infrastructure. President George Bush required those agencies to submit their plans to OMB by July 31, 2004–a deadline they all met. (Six agencies submitted documentation instead of actual plans, following flexibilities in OMB guidance.)
In providing guidance for the cybersecurity plans, OMB required agencies to address 19 cyber and related requirements. But only four of the plans examined by GAO fully did so. The plans from the other 14 agencies addressed at least eight or more of the requirements, but addressed others only partially or not at all. Eight of those agencies whose plans were incomplete have since addressed some of the missing criteria through other cybersecurity activities, the report added.
The shortfalls in the federal cybersecurity plans continued to linger because OMB did not follow up to verify that agencies revised their plans to incorporate feedback from the agency after the OMB’s initial review, the report declared. OMB also did not examine whether agencies actually implemented and institutionalized cybersecurity plans.
OMB responded that its limited resources were devoted to other issues, and it did not ask the agencies to update their plans on a periodic basis.
"Without more sustained leadership, management, and oversight in this area, there is an increased risk that federal agencies individually, and the federal government collectively, will not effectively identify, prioritize, and protect their critical cyber assets, leaving them vulnerable to efforts to destroy, incapacitate, or exploit them," the GAO report concluded.
GAO recommended that OMB direct federal agencies update their plans to meet its requirements and to follow up to ensure that agencies implement the plans, which were required under Homeland Security Presidential Directive 7. OMB agreed with the recommendations.

(Visited 9 times, 1 visits today)

The Government Technology & Services Coalition's Homeland Security Today (HSToday) is the premier news and information resource for the homeland security community, dedicated to elevating the discussions and insights that can support a safe and secure nation. A non-profit magazine and media platform, HSToday provides readers with the whole story, placing facts and comments in context to inform debate and drive realistic solutions to some of the nation’s most vexing security challenges.

Leave a Reply