National cybersecurity plans lack performance measures and estimated costs, GAO says
The Office of the National Cyber Director has work to do to improve the implementation of President Joe Biden’s national cybersecurity strategy, according to a watchdog report.
The Government Accountability Office said in a report released Thursday that the national cybersecurity strategy lacks performance measures and estimated costs, which the watchdog believes is essential for a national strategy.
The GAO said that “neither the strategy nor the implementation plan included outcome-oriented performance measures for the initiatives or for the overall objectives of the strategy to gauge success.” The initiatives outlined in the implementation plan include milestones and expected completion dates, but lacked assessments in “the extent to which the initiatives are achieving outcome-oriented objectives” like information sharing or updated federal cyber defenses, GAO said.
ONCD staff told the GAO said it wasn’t actually feasible to develop outcome-oriented measures, simply because those measures do not yet exist in the broader cybersecurity field. “They acknowledged the value of having meaningful outcome-oriented performance measures to assess cybersecurity effectiveness but stated that such measures do not currently exist in the cybersecurity field in general,” the GAO wrote.
ONCD said that “this open research problem remains one of significant interest.”
The GAO said that developing performance measures is possible in specific instances. For example, measuring the number of alerts sent out based on incident reporting, which will soon be required after the Cybersecurity and Infrastructure Security Agency issues the final rule for the Cyber Incident Reporting for Critical Infrastructure Act. ONCD “could survey users of these threat information products to determine what specific impacts these products had on the security of their networks,” the GAO wrote.
Without performance measures, the ONCD limits the ability to show the effectiveness of the strategy, the GAO said. OCND accepted GAO’s recommendation to assess initiatives that have outcome-oriented performance measures.
Additionally, the strategy and implementation plan lacks details on the cost of the initiatives. ONCD staff told the watchdog that estimating costs is “unrealistic goal due to the current nature of the budget process,” as costs could be in an agency’s baseline budget. Again, the GAO said that the office should still provide estimations where applicable.
ONCD said that it does not concur with cost estimates recommendation. ONCD noted in its response that it and the Office of Management and Budget issue an annual memorandum to federal department and agency heads detailing the administration’s priority and budgets are allocated from the memo.
“Without outcome-based performance measures, ONCD and its stakeholders will be limited in gauging the effectiveness of actions taken to implement the strategy,” the GAO wrote. “Further, without estimating the costs of implementing applicable initiatives, ONCD and other implementing agencies will be challenged in ensuring that adequate resources are available for those initiatives.”
An ONCD spokesperson said in a statement that the office “appreciates GAO’s longstanding interest in cybersecurity challenges facing the U.S. government and our nation, and the work that went into preparing this report. We are aggressively and effectively implementing the President’s National Cybersecurity Strategy and have published an implementation plan to ensure transparency, and accountability.
“Extensive interagency and private sector coordination will help to achieve our goals: shifting the responsibility of cybersecurity away from individuals, small business and local governments to the largest, most capable actors, and realigning incentives to favor long-term investments in security, resilience, and promising new technologies.”
This article was updated Feb. 2, 2024, with a statement from the ONCD.
