National Cyber Strategy needs better implementation measures, GAO argues

The White House Office of the National Cyber Director has only partially addressed a pair of implementation goals tied to a sweeping overhaul of the federal cybersecurity landscape, and needs to improve them to ensure the government is protected against cyber intrusions, GAO argued in an information security report released Thursday.

The analysis specifically calls out ONCD’s work in outcome-oriented performance measures and resource cost estimations for the National Cyber Strategy unveiled last March, arguing the executive branch cyber office is capable of expanding on performance goals and costs for strategy implementation, despite pushback from officials.

“Without actions to address these shortcomings, ONCD will likely lack information on plan outcomes and encounter uncertainty on funding of activities,” the GAO report summary says.

The National Cyber Strategy is a multi-pronged document meant to bolster the federal government’s cybersecurity posture, including its workforce. The strategy also came with a hefty implementation plan, released this past summer, that recommended specific agencies carry out components of the framework to meet its goals, including hardening defenses against critical infrastructure hacks and taking an offensive stance against nation states and cybercriminals seeking to compromise U.S. interests.

ONCD agreed with the improvements to outcome-oriented measures, according to GAO. The oversight agency identified an example in the Treasury Department where officials developed a measurement system for determining the dollar value of ransomware attacks that hackers use to hold sensitive data or systems hostage in exchange for a ransom payment.

But the White House still disagreed with the cost estimation recommendations, the report says.

“ONCD staff said estimating the cost to implement the entire strategy was unrealistic. However, while certain initiatives may not warrant a specific cost estimate, other activities supporting some of the key initiatives with potentially significant costs justify the development of a cost estimate” the oversight agency said.

Rep. Gerry Connelly, D-Va., ranking member on the House Oversight Committee’s cyber and IT subcommittee, echoed GAO’s concerns, arguing the strategy “confirms that the plan embodies many critical characteristics needed to align and harmonize our federal agencies’ policies” but that it “lacks performance and cost metrics fundamental to improving information sharing, modernizing federal agency defenses, and managing expenditures.”

The implementation plan fully met the criteria of four other tiers outlined by GAO, the report notes.

"The Office of the National Cyber Director appreciates GAO’s longstanding interest in cybersecurity challenges facing the U.S. government and our nation, and the work that went into preparing this report," an ONCD spokesperson told Nextgov/FCW in a statement. "We are aggressively and effectively implementing the President’s National Cybersecurity Strategy and have published an implementation plan to ensure transparency, and accountability. Extensive interagency and private sector coordination will help to achieve our goals: shifting the responsibility of cybersecurity away from individuals, small business and local governments to the largest, most capable actors, and realigning incentives to favor long-term investments in security, resilience, and promising new technologies."

Nextgov/FCW Staff Reporter Natalie Alms contributed to this report.

Editor's note: This report has been updated to include comment from ONCD.