In the face of escalating cyber threats to federal information systems and critical infrastructure, the Office of the National Cyber Director (ONCD) plays a pivotal role in leading national cyber policy and strategy. To fortify the nation’s cybersecurity posture, the ONCD has put forth the National Cybersecurity Strategy, accompanied by an implementation plan. While the foundation laid by these documents is commendable, a recent Government Accountability Office (GAO) review has identified areas where additional detailing is essential for consistent and effective government-wide implementation.
Extent to Which the March 2023 National Cybersecurity Strategy and July 2023 Implementation Plan Addressed GAO’s Desirable Characteristics of a National Strategy
GAO’s examination revealed that the National Cybersecurity Strategy and its corresponding implementation plan jointly addressed four out of six desirable characteristics identified in prior GAO work. However, the remaining two characteristics—outcome-oriented performance measures and resources with estimated costs—were only partially addressed.
One key aspect highlighted by GAO was the absence of fully developed outcome-oriented performance measures in the documents. While ONCD staff cited the impracticality of developing such measures at this point, GAO contends that it is feasible and necessary, especially in critical areas such as disrupting ransomware attempts. The Department of the Treasury, for instance, already collects data on the number and value of ransomware-related incidents, showcasing the feasibility and importance of outcome-oriented measures for assessing effectiveness.
Another critical point of concern identified by GAO was the lack of details on resources and estimated costs in the implementation plan. Despite the complexity of estimating the cost of the entire strategy, GAO emphasizes the importance of providing cost estimates for specific initiatives, particularly those requiring executive visibility and interagency coordination. Such cost estimates are instrumental for effective program management, ensuring transparency and facilitating informed investment decisions.
The absence of these details, as highlighted by GAO, poses risks to the ONCD’s ability to measure plan outcomes accurately and introduces uncertainty regarding the funding of crucial activities. To address these shortcomings, GAO recommends that the ONCD take necessary actions to provide a more comprehensive implementation plan that incorporates outcome-oriented performance measures and estimated costs for key initiatives.
As cybersecurity continues to be a high-risk area for over 25 years, the ONCD’s leadership and the effectiveness of its strategy and plan are of paramount importance in safeguarding the nation’s digital infrastructure. GAO’s assessment aims to contribute to strengthening the ONCD’s approach to tackling evolving cyber threats and ensuring the resilience of federal information systems.
Read the full GAO report here.