GAO: Ways to Strengthen National Cybersecurity Strategy Implementation

A new report by the Government Accountability Office (GAO) warns of steps that the White House’s Office of the National Cyber Director (ONCD) should take to ensure the effective and consistent implementation of the administration’s National Cybersecurity Strategy (NCS).

Specifically, GAO recommends that the ONCD should develop both outcome-oriented performance measures and implementation cost estimates for the NCS to ensure that the strategy is effective government-wide.

The White House released its National Cybersecurity Strategy (NCS) last March, to address the complex threats and secure the U.S. digital ecosystem and the technologies that undergird it. The administration followed-up in July with their National Cybersecurity Strategy Implementation Plan (NCSIP), outlining more than 65 “high-impact initiatives” that range in scope from combatting cybercrime to building a skilled cyber workforce.

In its assessment, GAO said the NCS and NCSIP jointly addressed four of six desirable characteristics which GAO had previously identified in its prior work. Those four are: purpose, scope, and methodology (characteristic #1); problem definition and risk assessment (#2); organizational roles, responsibilities, and coordination (#5); and integration and implementation (#6).

However, GAO determined that the ONCD strategy and IP only partially addressed the following other two characteristics.

NCS Implementation Needs Performance Measures

In assessing the characteristic of Goals, Subordinate Objectives, Activities, and Performance Measures (#3) GAO found that the NCS/IP did not include “outcome-oriented performance measures for the initiatives or for the overall objectives of the strategy to gauge success,” although goals, activities, milestones and priorities are addressed.

ONCD said it was not realistic or feasible to develop outcome-oriented measures at this point. However, GAO disagreed, citing an example where the Department of the Treasury collects information on the number and dollar value of ransomware-related incidents as a means to measuring effectiveness.

NCS Implementation Needs Cost Estimates

In assessing the characteristic of Resources, Investments, and Risk Management (#4) – GAO found that the NCS/IP did not include specific details on the estimated cost of the plan’s initiatives, while they did address risk management and partially addressed the sources and types of resources and investments needed to carry out the initiatives.

ONCD balked at estimating the cost to implement the entire strategy as unrealistic, “due to the current nature of the budget process, where costs may be embedded in agencies’ baseline budgets,” according to the report. GAO acknowledged efforts that the ONCD currently uses to account for operational costs in their budget, including staff resources and supporting contracts. However, GAO asserts that “some of the key initiatives with potentially significant costs justify the development of a cost estimate … to effectively managing programs. Without such information, uncertainty can emerge about investing in programs.”

The ONCD did note that between the March NCS release and the July NCSIP release, the Office of Management and Budget (OMB) directed federal Executive Branch departments and agencies to align their fiscal year (FY) 2025 budgets with the administration’s cross-agency cybersecurity investment priorities outlined in the NCS. Such yearly budget alignment memos are expected in the future as well.

Implications

Clearly, and to be fair, the ongoing evolution and implementation of the NCS is a work in progress. That said, programs noted by GAO at the Treasury Department and other agencies provide examples for ways that potential performance measures may be applied to other areas covered by the NCS, and potentially roll up to provide a more comprehensive view of overall NCS implementation effectiveness, as well as costs. The performance-to-cost relationship assessment is critical to any organization’s measurement of its program effectiveness. All the more, given the critical importance that cybersecurity plays in national security and daily operations.

Many existing agency cybersecurity programs are supported by industry solutions and service providers under federal contracts. From this latest GAO assessment, and the examples they cite, there may be some potential opportunities out there to apply current efforts and solutions to adjacent and transferable applications and build greater performance and cost measurement capabilities along the way.