Next admin should ‘enhance’ ONCD, cyber policy roadmap says

A bipartisan task force of 40 cyber policy experts says enhancing ONCD is critical to strengthening “cross-government coordination.”

A bipartisan cyber policy roadmap for the next presidential administration recommends boosting the Office of the National Cyber Director to help strengthen government coordination on pressing cybersecurity threats.

The report, released last week by Auburn University’s McCrary Institute, includes a sweeping set of cyber policy recommendations for the next presidential administration. They were developed by 40 former officials from both Democrat and Republican administrations.

“Maybe I’m pollyannish, but I’m optimistic that this issue will continue to drive similarly in whatever direction the country takes,” Frank Cilluffo, director of the McCrary Institute, said in an interview.

“We actually took a step back — what’s working, what’s not, and where do we need to go from here, and where do we have to double down some of our efforts?” he added.

The group made dozens of recommendations cutting across eight “critical themes,” ranging from harmonizing cyber regulation to workforce development.

But as far as the inner machinations of the federal government, the report focuses on strengthening cross-government coordination to “break down silos, enhance information sharing, and create mechanisms for rapid, coordinated responses to cyber threats.”

Key to that is the fledgling Office of the National Cyber Director within the executive office of the president. Established by law in 2021, ONCD advises the president on cybersecurity policy and strategy.

The task force found ONCD’s role has been “pivotal,” but to “fulfill its mandate effectively, ONCD requires enhanced authorities and resources.”

The report recommends doing so by establishing the office as the “primary coordinator for cyber incident response” so it can organize the efforts of the National Security Agency, the Defense Department, the Cybersecurity and Infrastructure Security Agency, the FBI and sector risk management agencies (SRMAs).

“The reason that we need the NCD is because cyber issues cut across so many different departments and agencies that you need a function in the White House to actually bring them all together,” Michael Daniel, a task force member and former cyber coordinator on the Obama administration’s National Security Council, said in an interview.

The task force suggests the next administration “empower ONCD with additional authorities to drive interagency coordination, including the ability to influence budget allocations for cybersecurity initiatives across agencies.”

“Implement ONCD-led integrated portfolio reviews to assess and coordinate cybersecurity investments across the federal government, ensuring the involvement of the Office of Management and Budget,” the report continues. “Create a formal mechanism for ONCD to engage with and coordinate efforts of SRMAs, fostering a more cohesive approach to sector specific cybersecurity challenges.”

Daniel said ONCD’s role should run the gamut on cybersecurity issues, including resources, authorities, workforce, and strategy. The task force is also recommending that within the first 100 days of the new administration, ONCD should lead a “whole-of-government” effort to harmonize cyber regulations.

“We need to make sure that that office can function and it can do the job of what I think of as the organize, train and equip role,” Daniel said. “The NCD’s role is to make sure that the federal government can do the cyber mission.”

SRMA roles

But the report doesn’t just focus on ONCD’s role. It also recommends the next administration strengthen the “SRMA” agencies that each oversee distinct critical infrastructure sectors.

“Establish clear lines of accountability within SRMAs, ensuring that those with decision-making authority also have the ability to influence resource allocation and implementation of cybersecurity measures,” the report recommends. “Develop clear metrics and performance indicators to assess the effectiveness of SRMAs in improving their sectors’ cybersecurity posture.”

The task force also suggests the Biden administration missed an opportunity with national security memorandum-22 to revise how agencies approach critical infrastructure, as well as the potential to add new sectors, such as the space sector.

“NSM-22 maintained a sector structure that is likely outdated and missed an opportunity to better harmonize with NATO allies,” the report states. “The sector structure should be freshly evaluated based on a set of defined and transparent criteria to capture the cyber risk environment.

Strengthening CISA

The report additionally recommends strengthening CISA. The cyber agency coordinates cybersecurity operations across civilian agencies. It also serves as the “national coordinator” for critical infrastructure.

CISA has grown in both authorities and resources throughout the Biden administration. But the task force found “challenges remain in terms of its authority to compel action from other federal agencies, its ability to streamline and/or integrate the federal government’s engagement of the private sector, and its own capacity given longstanding resource limitations to engage effectively with the private sector.”

Strengthening CISA will involve providing “adequate funding for CISA’s operational systems and
managed services offerings for federal agencies,” as well as clarifying the agency’s roles and responsibilities “to avoid duplication with other agencies while ensuring it has the necessary authorities, resources, and staffing required for its mission,” according to the task force.

Daniel said CISA should have a much stronger role in managing cybersecurity across federal civilian agencies, akin to how the General Services Administration supplies products and technologies across the federal government.

“Part of the deal for the agencies is, ‘Hey, you get to get rid of something you don’t like, which is dealing with a lot of the cyber things,’” Daniel said. “In exchange, you get to go focus your time and effort on apps that matter to your agency, on things that matter to your workforce, on things that actually help you achieve your mission better, instead of worrying about this backbone IT and cybersecurity problems that are always going to be a second order problem for you.”

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Related Stories

    Stacy Bostjanick and Jennifer Henderson

    Risk and Compliance Exchange 2024: DoD’ Stacy Bostjanick, DCMA’s Jennifer Henderson on finding ‘any means possible’ to help small biz with CMMC

    Read more
    Amelia Brust/Federal News Networkcybersecurity

    How should software producers be held accountable for shoddy cybersecurity products?

    Read more