GAO: CNCI's Goals are at RiskKundra Says GAO Misguided on One Recommendation
Among the challenges:
Defining Roles and Responsibilities. Federal agencies have overlapping and uncoordinated responsibilities for cybersecurity, and it is unclear where overall responsibility for coordination lies.
Establishing Measures of Effectiveness. The initiative has not yet developed measures of the effectiveness in meeting its goals. While federal agencies have begun to develop effectiveness measures for information security, these have not been applied to the initiative.
Establishing an Appropriate Level Of Transparency. Few of the elements of CNCI have been made public, and the rationale for classifying related information remains unclear, hindering coordination with private sector entities and accountability to the public.
Reaching Agreement on the Scope of Educational Efforts. Stakeholders have yet to reach agreement on whether to address broad education and public awareness as part of the initiative, or remain focused on the federal cyber workforce.
GAO said the federal government also faces strategic challenges beyond the scope of CNCI in securing federal information systems, including:
Coordinating Actions with International Entities. The federal government does not have a formal strategy for coordinating outreach to international partners for the purposes of standards setting, law enforcement, and information sharing.
Strategically Addressing Identity Management and Authentication. Authenticating the identities of persons or systems seeking to access federal systems remains a significant governmentwide challenge. However, the federal government is still lacking a fully developed plan.
The White House Office of Management and Budget agreed with five of six recommendations, challenging the recommendation regarding defining roles and responsibilities. In a letter to the GAO, Federal CIO Vivek Kundra said the roles and responsibilities of agencies participating in the CNCI are clearly defined in a presidential directive. "Lead agencies have been designed for each initiative," Kundra said. "Lead agencies are held to implementation plans and report quarterly on their progress against goals."
Kundra said the GAO draft report cites the agencies' response to a July 2009 distributed denial of service attacks against some federal websites as an example of the confusion over roles and responsibilities for agencies participating in the CNCI. "The government's response to the incident was not an activity that fell under the roes and responsibilities under CNCI," Kundra wrote. "Operational incident response management for civil executive branch departments and agencies is set forth in the Federal Information Security Management Act."
However, GAO sees it differently, and said such definitions are key to achieving CNCI's objective of securing federal systems.
In response to the continuing threats to federal systems and operations posed by cyber attacks, President Bush established the CNCI in 2008 in response to continuing threats to federal IT systems and the nation's critical information infrastructure. This week, the White House provided a declassified summary of the dozen CNCI programs.
In its report, GAO pointed out that the White House and federal agencies have taken steps to plan and coordinate CNCI activities by establishing several interagency working groups. These include the National Cyber Study Group, which carried out initial brainstorming and information-gathering for the establishment of the initiative; the Communications Security and Cyber Policy Coordinating Committee, which presented final plans to the President and coordinated initial implementation activities; and the Joint Interagency Cyber Task Force, which serves as the focal point for monitoring and coordinating projects and enabling the participation of both intelligence-community and non-intelligence-community agencies. These groups have used a combination of status meetings and other reporting mechanisms to track implementation of projects.