The extent to which the Department of Homeland Security’s (DHS) National Cybersecurity and Communications Integration Center (NCCIC) has taken steps to perform each of its 11 statutorily required cybersecurity functions — such as being a federal civilian interface for sharing cybersecurity-related information with federal and nonfederal entities — the degree to which the center has adhered to the 9 principles required by the National Cybersecurity Protection Act of 2014 to perform its cybersecurity functions “is unclear because the center has not yet determined the applicability of the principles to all 11 functions, or established metrics and methods by which to evaluate its performance against the principles,” according to new Government Accountability Office (GAO) audit report.
NCCIC manages programs that provide data used in developing 43 products and services in support of its functions, including monitoring network traffic entering and exiting federal agency networks, and analyzing computer network vulnerabilities and threats. NCCIC products and services also are provided to its customers in the private sector; federal, state, local, tribal and territorial government entities; and other partner organizations. For example, NCCIC issues indicator bulletins, which can contain information related to cyber threat indicators, defensive measures and cybersecurity risks and incidents, and help to fulfill its function to coordinate the sharing of such information across the government.
GAO reported it “identified instances where NCCIC had implemented its functions in accordance with one or more of the principles. For example, consistent with the principle that it seek and receive appropriate consideration from industry sector-specific, academic, and national laboratory expertise, NCCIC coordinated with contacts from industry, academia and the national laboratories to develop and disseminate vulnerability alerts.”
But, “On the other hand,” GAO said it “also identified instances where the cybersecurity functions were not performed in accordance with the principles. For example, NCCIC is to provide timely technical assistance, risk management support and incident response capabilities to federal and nonfederal entities; however, it had not established measures or other procedures for ensuring the timeliness of these assessments. Until NCCIC determines the applicability of the principles to its functions and develops metrics and methods to evaluate its performance against the principles, the center cannot ensure that it is effectively meeting its statutory requirements.”
GAO said it further “identified factors that impede NCCIC’s ability to more efficiently perform several of its cybersecurity functions. For example, NCCIC officials were unable to completely track and consolidate cyber incidents reported to the center, thereby inhibiting its ability to coordinate the sharing of information across the government. Similarly, NCCIC may not have ready access to the current contact information for all owners and operators of the most critical cyber-dependent infrastructure assets. This lack could impede timely communication with them in the event of a cyber incident.”
GAO warned that, “Until NCCIC takes steps to overcome these impediments, it may not be able to efficiently perform its cybersecurity functions and assist federal and nonfederal entities in identifying cyber-based threats, mitigating vulnerabilities and managing cyber risks.”
In its written comments on a draft of GAO’s audit, DHS concurred with all nine recommendations.
DHS “also provided details about steps that it plans to take to address each of the recommendations, including estimated time frames for completion. If effectively implemented, these actions should enhance the effectiveness and efficiency of NCCIC in performing its statutory requirements,” GAO reported.
To more fully address the requirements identified in the National Cybersecurity Protection Act of 2014 and the Cybersecurity Act of 2015, GAO recommended that the DHS Secretary take the following nine actions:
- Determine the extent to which the statutorily required implementing principles apply to NCCIC’s cybersecurity functions.
- Develop metrics for assessing adherence to applicable principles in carrying out statutorily required functions.
- Establish methods for monitoring the implementation of cybersecurity functions against the principles on an ongoing basis.
- Integrate information related to security incidents to provide management with more complete information about NCCIC operations.
- Determine the necessity of reducing, consolidating, or modifying the points of entry used to communicate with NCCIC to better ensure that all incident tickets are logged appropriately.
- Develop and implement procedures to perform regular reviews of customer information to ensure that it is current and reliable.
- Take steps to ensure the full representation of the owners and operators of the nation’s most critical cyber-dependent infrastructure assets.
- Establish plans and time frames for consolidating or integrating the legacy networks used by NCCIC analysts to reduce the need for manual data entry.
- Identify alternative methods to collaborate with international partners, while ensuring the security requirements of high-impact systems.
