Skip to main content

Cybersecurity: National Cyber Director Needs to Take Additional Actions to Implement an Effective Strategy

GAO-24-106916 Published: Feb 01, 2024. Publicly Released: Feb 01, 2024.
Jump To:

Fast Facts

Cyberattacks threaten federal information systems and the nation's critical infrastructure. The Office of the National Cyber Director leads national cyber policy and strategy.

The Office has a plan to implement the White House's National Cybersecurity Strategy. As of January 2024, the strategy and plan provide a good foundation, but the Office still needs to include more details in the plan to ensure that the strategy can be implemented consistently and effectively government-wide.

Specifically, we recommended that the Office establish performance measures and estimate implementation costs.

An image of a cybersecurity user interface imposed over a photograph of the White House

Skip to Highlights

Highlights

What GAO Found

The National Cybersecurity Strategy and its implementation plan jointly addressed four of six desirable characteristics identified in prior GAO work and partially addressed the other two (see figure).

Extent to Which the March 2023 National Cybersecurity Strategy and July 2023 Implementation Plan Addressed GAO's Desirable Characteristics of a National Strategy

Extent to Which the March 2023  National Cybersecurity Strategy

For the partially addressed characteristics, the documents did not fully describe:

  • Outcome-oriented performance measures. Office of the National Cyber Director (ONCD) staff said it was not realistic to develop outcome-oriented measures at this point. However, GAO believes it is feasible to develop such measures where applicable. For example, regarding the key initiative of disrupting ransomware attempts, the Department of the Treasury already collects information on the number and dollar value of ransomware-related incidents—for 2021 the reported total dollar value was about $886 million. This demonstrates that developing such measures is feasible and can be used for measuring effectiveness.
  • Resources and estimated costs. While the implementation plan outlined initiatives that require executive visibility and interagency coordination, it did not identify how much it will cost to implement the initiatives. ONCD staff said estimating the cost to implement the entire strategy was unrealistic. However, while certain initiatives may not warrant a specific cost estimate, other activities supporting some of the key initiatives with potentially significant costs justify the development of a cost estimate. Such cost estimates are essential to effectively managing programs. Without such information, uncertainty can emerge about investing in programs.

Without actions to address these shortcomings, ONCD will likely lack information on plan outcomes and encounter uncertainty on funding of activities.

Why GAO Did This Study

For over 25 years GAO has identified cybersecurity as a high-risk area. During this period, the threat of cyber-based intrusions and attacks on IT systems by malicious actors has continued to grow.

A national strategy to guide the government's cybersecurity activities is needed to address this threat. Recognizing the need for national cybersecurity leadership, Congress established ONCD to support the nation's cybersecurity and lead the development of a national strategy. In March 2023, the White House issued the National Cybersecurity Strategy to outline how the administration will manage the nation's cybersecurity. In July 2023, ONCD issued an implementation plan defining how the strategy will be executed.

GAO's objective was to examine the extent to which the National Cybersecurity Strategy and implementation plan addressed desirable characteristics of a national strategy. To do so, GAO assessed relevant documents and other evidence against desirable characteristics of a national strategy. GAO also interviewed ONCD staff.

Recommendations

GAO is making two recommendations to ONCD to develop outcome-oriented measures and estimate costs of implementation activities. ONCD agreed with GAO's recommendation on outcome-oriented measures but disagreed with the recommendation on estimating costs. GAO continues to believe that ONCD should assess the plan's initiatives to identify those that warrant a cost estimate and develop such cost estimates.

Recommendations for Executive Action

Agency Affected Recommendation Status
Office of the National Cyber Director The Director of ONCD should work with relevant federal entities to assess the initiatives that lend themselves to outcome-oriented performance measures and develop such performance measures for those initiatives in a timely manner to gauge effectiveness in meeting the goals and objectives of the National Cybersecurity Strategy. (Recommendation 1)
Open
ONCD agreed with this recommendation and said it will assess the initiatives to identify those that warrant outcome-oriented performance measures. When we confirm what actions ONCD has taken in response to this recommendation, we will provide updated information.
Office of the National Cyber Director The Director of ONCD should work with relevant federal entities to assess the initiatives to identify those that warrant a cost estimate and develop such cost estimates. (Recommendation 2)
Open
ONCD disagreed with this recommendation. We continue to believe that the recommendation is valid because we identified initiatives that may require significant costs. As such, we will monitor ONCD's efforts to address this recommendation.

Full Report

GAO Contacts

Marisol Cruz Cain
Director
Information Technology and Cybersecurity

Media Inquiries

Sarah Kaczmarek
Managing Director
Office of Public Affairs

Topics

Agency evaluationsCost estimatesCritical infrastructureCritical infrastructure protectionCybersecurityCyberspaceHigh-risk issuesHomeland securityInformation systemsInformation technologyNational securityPerformance measurementRisk management