White House slow to implement cybersecurity recommendations, GAO says

The White House moves to implement the 22 recommendations of a cybersecurity review last year, auditors find.

The White House is slow to implement its national cybersecurity strategy, partly because of a seven-month delay in filling the job of national cyber coordinator, a new report from the Government Accountability Office states.

President Barack Obama’s national cyber policy review in May 2009 included 24 recommendations, including the need for a national cyber coordinator. The president named Howard Schmidt as White House Cybersecurity Coordinator last December.

The administration has fully implemented two of the 24 recommendations and partially implemented 22 of them, David Powner, director of information technology management issues at GAO, wrote in a report released Oct. 6.


Related stories:

Cyber chief slams security efforts

White House just getting started on cybersecurity


For example, some progress has been to build a cybersecurity-based identity management vision and strategy that deals with privacy and civil liberties, the report said. In June the administration released a draft National Strategy for Trusted Identities in Cyber Space.

The White House Office of Science and Technology Policy is developing a framework for cybersecurity research and development, but it will not be final until 2011.

GAO said implementation has been hampered because of the seven-month vacancy in the cyber coordinator position, and as a result agency leaders have not been assigned roles and responsibilities for carrying out the cybersecurity policy.

Although federal officials claim to be moving on the strategy, GAO said there are no benchmarks, plans or schedules that show how and when 16 of the 22 recommendations will be completed.

“Consequently, until roles and responsibilities are made clear and the schedule and planning shortfalls identified above are adequately addressed, there is increased risk the recommendations will not be successfully completed, which would unnecessarily place the country’s cyber infrastructure at risk,” Powner concluded.

The auditing agency made two recommendations: to assign roles and responsibilities, and to develop milestones for implementing the 16 recommendations from the president’s review of 2009.

Schmidt, in responding to a draft copy of the report, did not offer comments except to cite additional progress made by his office on several fronts. He said there were significant gains made in a national cyber research and development strategy completed in May, and there was a National Initiative for Cybersecurity Education held in August.