A GAO report has found that DHS needs to enhance its efforts to improve federal and private sector network security.
GAO found that DHS has made important progress in implementing programs and activities that are intended to mitigate cybersecurity risks on the computer systems and networks supporting federal operations and critical infrastructure. It has provided some detection capabilities, issued binding directives, improved the sharing of cybersecurity threat information and promoted the NIST guidelines.
However, GAO still found that the department has not taken sufficient actions to ensure that it successfully mitigates cybersecurity risks on federal and private-sector computer systems and networks. For example, GAO reported in 2016 that DHS’s National Cybersecurity Protection System (NCPS) had only partially met its stated system objectives of detecting and preventing intrusions, analyzing malicious content, and sharing information.
The report also found that DHS needed to evaluate the National Cybersecurity and Communications Integration Center acticities more thoroughly. The center had not established metrics and methods by which to evaluate its performance against statutorily defined implementing principles.
GAO also stated that in its role as the lead federal agency for collaborating with eight critical infrastructure sectors including the communications and dams sectors, DHS had not developed metrics to measure and report on the effectiveness of its cyber risk mitigation activities or on the cybersecurity posture of the eight sectors. In 2018, DHS had taken steps to assess its cybersecurity workforce; however, it had not identified all of its cybersecurity positions and critical skill requirements and, until it does, GAO found that its ability to improve and promote the cybersecurity of federal and private-sector networks will be limited.
