The Government Accountability Office has released a study of the Comprehensive National Cybersecurity Initiative established by President Bush in 2008. Last week, a declassified version of the CNCI was released with the new administration’s changes and adaptations. GAO issued the study in response to ongoing threats to federal system by cyber attacks.
GAO was asked to determine what actions have been taken to develop inter agency mechanisms to plan and coordinate CNCI activities and to determine what challenges face CNCI in achieving its objectives. In the study GAO made several suggestions to OMB, most of which were met with agreement.
Members of the GAO that completed the study believe that if those challenges are not addressed, CNCI will not achieve its goal to reduce vulnerabilities, protect against attack and anticipate future threats.
In a letter written to members of the House of Representatives, GAO officials urged them to take action and continue to refine CNCI. Without heeding the recommendations, GAO warned that CNCI will not be able to achieve its goals. The letter also outlined the challenges of CNCI, limitations and then recommendations from GAO.
Among their recommendations is to establish an appropriate level of transparency saying that current classifications of CNCI projects will hinder the effectiveness of the program. The legal appendix, not included in the declassified version, is one document that many believe should be added to the declassified plan. Furthermore, GAO believes that more transparency will help accountability and coordinate activities with the public sector.
GAO determined the main challenges facing CNCI to be:
- Defining roles and responsibilities. Federal Agencies have overlapping and uncoordinated responsibilities for cybersecurity, and it remains unclear where overall responsibility lies.
- Establishing measures of effectiveness. The initiative has not yet developed measures of the effectiveness in meeting its goals.
- Establishing an appropriate level of transparency. Few of the elements of CNCI have been made public, and the rational for classifying related information remains unclear, hindering coordination with private sector companies.
- Reaching agreement on the scope of educational efforts. Stakeholders have yet to reach agreement on whether to address broad education and public awareness as part of the initiative.
GAO determined strategic challenges that are beyond the scope of CNCI.
- Coordinating actions with international entities. The federal government does not have a formal strategy for coordinating outreach to international partners.
- Strategically addressing identity management and authentication. Authenticating the identities of persons or systems seeking to access federal systems remains a significant government wide challenge.
GAO determined recommendations for Executive Action
- Better defining agency roles and responsibilities
- Establishing measures of effectiveness
- Establishing an appropriate level of transparency
- Coordinating interactions with international entities
- Strategically addressing identity management and authentication
- Reaching agreement on the scope of education efforts