The US federal government has not adequately defined where overall responsibility for coordination of cybersecurity duties lie and federal agencies continue to have overlapping responsibilities, warned congressional investigators recently.
The Government Accountability Office (GAO) recommended that the White House do more to define roles and responsibilities under the Comprehensive National Cybersecurity Initiative (CNCI) and to set up measures for the effectiveness of cybersecurity activities.
Without such measures, federal agencies have continued to pursue separate cybersecurity projects with no true sense of how they are supporting the CNCI, GAO warned in a report, Cybersecurity: Progress Made but Challenges Remain in Defining and Coordinating the Comprehensive National Initiative.
The White House should further develop anappropriate level of transparency for the cybersecurity initiative, which mostly has remained secret from the public, the report said. The government has not made a compelling case for keeping CNCI information classified, and doing so creates an obstacle to coordinating with the private sector.
In addition, CNCI stakeholders have not yet come to agreement as to whether public awareness and education is part of the cybersecurity program or whether it simply applies to the federal workforce, the report said.
"Until these challenges are adequately addressed, there is a risk that CNCI will not fully achieve its goal to reduce vulnerabilities, protect against intrusions, and anticipate future threats against federal executive branch information systems," the report stated.
The Office of Management and Budget (OMB) largely agreed with the GAO recommendations but denied that responsibilities among federal agencies were uncoordinated and overlapping.
In response to the report, OMB CIO Vivek Kundra wrote that the responsibilities of federal agencies are clearly defined by Homeland Security Presidential Directive 23. Furthermore, they receive assistance from the National Computer Security Center in coordinating incident information from various federal incident response centers, Kundra asserted.
Established in 2008, CNCI consists of 12 program elements supported by federal interagency working groups.
The working groups include the National Cyber Study Group, which gathers information for the initiative; the Communications Security and Cyber Policy Coordinating Committee, which coordinates implementation activities under the initiative; and the Joint Interagency Cyber Task Force, which monitors projects and bridges participation between members of the intelligence community and those outside of the intelligence community.
Those supporting the cybersecurity initiativealso will encounter challenges beyond its scope, GAO cautioned.
Federal agencies will face the need to coordinate their actions with international cybersecurity stakeholders and there is not yet a federal strategy to do so, the GAO report said.
Also, no plan yet exists for implementing identity management and authentication efforts across the federal government, the report added.