White House Slow to Execute Cyber PolicyGAO: Only 2 of 24 of Obama's Cyber Proposals Fully Implemented
"Although the policy review report calls for the cybersecurity policy official to assign roles and responsibilities, agency officials stated they have yet to receive this tasking and attribute this to the fact that the cybersecurity policy official position was vacant for seven months," David Powner, director of IT management issues at the Government Accountability Office, wrote in a 66-page report entitled Cyberspace Policy: Executive Branch Is Making Progress Implementing 2009 Policy Review Recommendations, but Sustained Leadership Is Needed issued Wednesday.
(Listen to an interview with Powner: It'll Take Time to Achieve Obama's Goals.)
Obama named Howard Schmidt to be his cybersecurity coordinator in December; Schmidt began work in January.
In an e-mail message to GovInfoSecurity.com, a White House spokesman said the administration wasn't going to comment beyond what Schmidt said in a draft version of the report that circulated last summer. "We just got this [final] version today ourselves and are reviewing it and will prepare a response to Congress," the spokesman said. "It wouldn't be appropriate for us to respond to the report in the media before we do so directly to Congress."
Rep. Bennie Thompson, the Mississippi Democrat who chairs the House Homeland Security Committee, requested the GAO study, and said in a statement he found the findings troubling and urged Schmidt to immediately set forth implementation plans which contain metrics and timetables.
The appointment of a cybersecurity coordinator was one of two of the recommendations to be fully implemented; the other was the naming of a privacy and civil liberties official. GAO said the other 22 recommendations have been partially implemented.
Powner offered two examples of a partially implemented recommendation:
- Build a cybersecurity-based identity management vision and strategy that addresses privacy and civil liberties, leveraging privacy-enhancing technologies for the nation: In June, the administration released a draft strategy - National Strategy for Trusted Identities in Cyberspace - that seeks to increase trust associated with the identities of individuals, organizations, services and devices involved in financial and other types of online transactions, as well as address privacy and civil liberty issues associated with identity management. The administration plans to finalize the strategy this month.
- Develop a framework for research and development strategies: The administration's Office of Science and Technology Policy has efforts under way to develop a framework for research and development strategies, which as envisioned includes three key cybersecurity research and development themes but is not expected to be finalized until 2011.
Powner also said officials from key agencies told GAO that several mid-term recommendations are broad and would require action over years before their fully implemented. For example, he said agencies characterized one recommendation to expand sharing of information about network incidents and vulnerabilities with key allies as being very broad and would require additional guidance for it to be fully implemented and could take a number of years to complete.
Still, these agencies reported they have initiatives planned or under way to implement the 22 recommendations. "While these efforts appear to be steps forward, agencies were largely not able to provide milestones and plans that showed when and how implementation of the recommendations was to occur," Powner wrote.
Specifically, he said, 16 of the 22 near- and mid-term recommendations did not have milestones and plans for implementation.
"Our extensive research and experience at federal agencies have shown that, without clearly and explicitly assigned roles and responsibilities and documented plans, agencies increase the risk that implementing such actions will not fully succeed," Powner wrote. "Until these roles and responsibilities are made clear and the schedule and planning shortfalls identified above are adequately addressed, there is increased risk the recommendations will not be successfully completed, which would unnecessarily place the country's cyber infrastructure at risk."