The White House’s Office of the National Cyber Director (ONCD) must establish performance measures and implementation costs for the administration’s recent National Cybersecurity Strategy (NCS) in order for the strategy to be effective across all Federal agencies, a new Government Accountability Office (GAO) report argues.
The Biden administration released its much-anticipated NCS in March, harnessing the full power of the Federal government to promote better security, and wrapping private sector interests more fully into the effort.
The strategy features multiple focus points, including continuing efforts to improve security in already-regulated critical infrastructure sectors, a high-level goal of shifting more security responsibility onto providers of tech products and services, and a robust focus on using “all tools of national power” to go after attackers.
Implementation of the strategy is underway under the coordination of ONCD, which produced the plan. Notably, ONCD also published marching orders in July to implement the NCS. The implementation plan lays out 69 “high-impact” initiatives tasked to 18 separate Federal agencies, with a timeline for completion.
“As of January 2024, the strategy and plan provide a good foundation, but the Office still needs to include more details in the plan to ensure that the strategy can be implemented consistently and effectively government-wide,” the Feb. 1 GAO report says. “Specifically, we recommended that the Office establish performance measures and estimate implementation costs.”
GAO argued in its 41-page report that the NCS and its implementation plan jointly addressed four of six desirable characteristics while partially addressing the other two: performance measures and implementation costs. For example, the watchdog agency found that ONCD fully addressed purpose, scope, and methodology as well as organizational roles, responsibilities, and coordination, among other things.
However, the report argues that ONCD did not fully describe outcome-oriented performance measures. “[ONCD] staff said it was not realistic to develop outcome-oriented measures at this point. However, GAO believes it is feasible to develop such measures where applicable,” the report says.
Additionally, GAO believes ONCD must make clear resources and estimated costs for the NCS.
“While the implementation plan outlined initiatives that require executive visibility and interagency coordination, it did not identify how much it will cost to implement the initiatives. ONCD staff said estimating the cost to implement the entire strategy was unrealistic. However, while certain initiatives may not warrant a specific cost estimate, other activities supporting some of the key initiatives with potentially significant costs justify the development of a cost estimate,” GAO said. “Such cost estimates are essential to effectively managing programs. Without such information, uncertainty can emerge about investing in programs.”
“Without actions to address these shortcomings, ONCD will likely lack information on plan outcomes and encounter uncertainty on funding of activities,” the watchdog agency said.
ONCD agreed with GAO’s recommendation on outcome-oriented measures but disagreed with the recommendation on estimating costs.
In written comments to GAO, ONCD said that the Office of Management and Budget (OMB) provides guidance to agencies restricting disclosures of any future year budget plans, “thereby preventing ONCD from providing details such as cost estimates of the initiatives.”
Shortly after the NCS was released, ONCD and OMB set the cyber policy direction for fiscal year 2025 budgets, with an emphasis on tying in the five pillars of the White House’s NCS.
GAO said it continues to believe that ONCD should assess the plan’s initiatives to identify those that warrant a cost estimate and develop such cost estimates.
In a statement, Rep. Gerry Connolly, D-Va. – long a prime mover in Congress for improving Federal IT operations – said the NCS was a “strong first step” towards addressing cyberthreats.
“This GAO report confirms that the plan embodies many critical characteristics needed to align and harmonize our federal agencies’ policies including purpose and scope, risk assessments, implementation guidance, and organizational roles, responsibilities, and coordination,” Rep. Connolly said. “However, the Strategy lacks performance and cost metrics fundamental to improving information sharing, modernizing federal agency defenses, and managing expenditures. Without them, federal agencies are incapable of measuring their own success or failure,” he added.
“As an advocate of quantitative assessments, I urge the ONCD to continue working towards developing outcome-oriented and cost-related metrics to better gauge operation results, manage outlay estimates, and inform and support future budget submission,” the congressman said.