Watchdog suggests clearer delineation of cybersecurity roles

To support the national cybersecurity plan, the White House must better define agency roles in preventing attacks and establish performance metrics, according to a new report from the Government Accountability Office.

Federal agencies have overlapping cybersecurity responsibilities, and "it is unclear where overall responsibility for coordination lies," GAO said in a performance audit of the Comprehensive National Cybersecurity Initiative conducted between December 2008 and March 2010. The audit also noted the lack of measures to determine whether the initiative, which the Bush administration started in January 2008 and President Obama endorsed, is effective.

"While planning for CNCI has been broadly coordinated, the initiative faces challenges if it is to fully achieve its objectives related to securing federal information systems, which include reducing potential vulnerabilities, protecting against intrusion attempts and anticipating future threats," GAO said. "Until they are addressed within CNCI, the initiative risks not fully meeting its objectives."

The watchdog agency recommended the White House spell out the roles of key CNCI participants, including the National Cybersecurity Center, and track progress in making federal information systems more secure.

Federal Chief Information Officer Vivek Kundra disagreed with GAO's assessment. In response to the report, he said agencies' roles and responsibilities are clearly defined, noting all 12 segments of the security strategy have lead agencies. Those agencies are "held to implementation plans and report quarterly on their progress against goals," he said. The National Cybersecurity Center is responsible for assisting with situational awareness across the public and private sectors, he added.

GAO also recommended the White House share as much information on the initiative as possible and offer justification when it withholds details from the public. In an initial step, White House Cybersecurity Coordinator Howard Schmidt last week directed the release of a summary description of the largely classified initiative.

In addition, the watchdog suggested the Office of Management and Budget address two federal cybersecurity challenges that are not connected to specific CNCI projects: coordinating cybersecurity activities with international partners, and enhancing identity management linked to implementation of Homeland Security Presidential Directive 12, or HSPD-12, which requires agencies to issue federal employees and contractors standard biometrically enabled identification cards to enter government buildings and to access computer networks.

Kundra said the administration's national security staff manages coordination with international partners and the strategic approach to identity management is well-established through the November 2009 Federal Identity, Credential, and Access Management Roadmap and Implementation Guidance.

"The security of federal information systems is a major concern of this administration," he said.