Congress authorized the creation of the Office of the National Cyber Director back in 2021, and the White House issued the National Cybersecurity Strategy earlier...
Congress authorized the creation of the Office of the National Cyber Director back in 2021, and the White House issued the National Cybersecurity Strategy earlier this year. So how is it doing implementing said strategy? Well, the Government Accountability Office looked to answer that very question with a snapshot of where things stand. To learn more, The Federal Drive with Tom Temin spoke to Marisol Cruz Cain, Director of the Information Technology and Cybersecurity team at GAO.
Interview Transcript:
Marisol Cruz Cain Well, back in September 2020, we first took a look at the previous administration’s national cyber strategy and the implementation plan that came along with it. And we noticed some missing elements there. And when the new administration issued their strategy in 2023, we thought it was important that we looked at it, took a look at it the same way we took a look at the previous administration’s strategy to look for the critical elements that GAO feels should be in a national strategy. So we were able to do that with the strategy itself, since the implementation plan hasn’t come out yet. And we wanted to just give our initial thoughts on what that strategy contained.
Eric White And those initial thoughts, please.
Marisol Cruz Cain Absolutely. So we have six critical elements of what we think a national strategy should have in it. And the strategy for the current administration identified its purpose, what the scope of it was and the methodology that they used to come up with the strategy. It also outlined very clearly what the problem was. Cybersecurity has a very clear problem and what risks were involved. And then lastly, it really laid out how it integrated with other key cybersecurity documents like the executive order on cybersecurity and different OMB guidances that deal with cyber and how those were helping with the implementation of the strategy. But what we didn’t find were specific milestones with dates that these all of the items that it had in it were supposed to be done by or performance measures. How are we going to measure how any of this was successful in the strategy? Another thing that we were looking for that we didn’t find was the total cost for the efforts contained in the strategy. And then also initially, when we looked at it, we didn’t find prioritizing how agencies were supposed to set their investments to achieve the goals and the strategy. And then lastly, specific roles and responsibilities. There were some areas that we found didn’t have a specific agency assigned to it and kind of left it very vague who is going to be in charge of implementing those specific goals?
Eric White Cybersecurity is a pretty malleable thing, and a lot of these goals were kind of abstract, you know, protecting cyber critical infrastructure. You know, how do you how do they quantify when a goal is reached when it comes to cybersecurity?
Marisol Cruz Cain I think that’s one of the things we were saying that was missing. We didn’t see any real performance measures there to say, okay, we’ve got our five pillars. You mentioned one being the critical infrastructure. They laid out five specific goals that they had within that larger objective. But what it is missing is how are we going to measure them? Who is going to measure them? And what are the specific tiny little steps that are going to be taken to achieve those overall goals?
Eric White So what you’re all basically looking for is more of a comprehensive plan rather than saying good things and hoping that they all kind of fall into place.
Marisol Cruz Cain Absolutely. There is no way that we can implement such a broad and comprehensive plan without specifics in there, specific steps, they want the agencies to take, specific people who are going to oversee those steps. How are the agencies going to be responsible for allocating resources to those steps? Where are they going to get the money? What are they expected to do? How long are they expected to do it in? So what on CD have told us is they’re going to issue an implementation plan similar to the previous administration. And the latest date that they gave us for its release is mid-July. So we are kind of waiting to see if that’s going to happen. But we’re hoping that the implementation plan outlines these really specific nuances that we need to understand exactly how these larger, like you said, really broad goals are going to be implemented. Who’s going to help with that, and how the agencies are expected to allocate their resources and get those things done?
Eric White Yeah, this is no small task. Getting all of that together. Where did the administration say that they were kind of starting as a base? Is it just getting that implementation plan ready or are they starting from critical infrastructure or starting from, you know, finding the bad actors?
Marisol Cruz Cain They told us that it’s starting with the implementation plan. We know that they’re working with several key federal agencies to develop that implementation plan. A lot of the sector risk management agencies have been involved with ONCD and OMB in creating that implementation plan. And we’re imagining it’s going to cover all of the five pillars. I don’t think they’re going to start one and go one by one. But that’s remain to be seen. We’re waiting for that plan to come out so that we can take a look at it and see exactly how they’ve delineated it, how they’re going to attack that. But they did take an important step by issuing a memo last month that came out on June 28th that did let the agencies know for fiscal year 25 that they should prioritize the five pillars in the strategy and that they were to submit to OMB in their fiscal year budget, how they were going to do that, and then they were going to work with OMB and ONCD to give the agencies feedback on their priorities, see if they’re identifying any gaps, how can they help them close their gaps. So they’re really starting to try to get their guidance to align a little bit better with the strategy. And I think that will be even easier once the implementation plan comes out. If it does contain some of these specific details that GAOs looking for.
Eric White And one of the other issues at hand is, speaking of the ONCD, there is currently no director of it right now. What does the leadership of the office look like at the current moment? And you know who’s running day to day operations?
Marisol Cruz Cain Well, the previous cyber director resigned in June 2021. So since then we have the acting director, Pamela Walden, and she has been taking care of all of the day to day. So we have the plan going out under her. The implementation plan has been created under her. And as we mentioned in our snapshot, we really think it’s time for a permanent cyber director to be appointed. It is very important that there is sustained leadership there. We’ve noted in several reports that leaders, in order to be effective, need to be in a position from 3 to 5 years and in order to implement a major change initiative, which we see this strategy being, a leader needs to be in place from 5 to 7 years. So we’re hoping that we get a permanent director and they can be in for a longer period of time.
Eric White Did the folks you all talk to at the office talk about how challenging it was to implement such long term goals without having a permanent leader in place to direct the ship?
Marisol Cruz Cain Unfortunately, they did not. We weren’t really able to get too much information in that area. But I do know that it’s been public that people on the Hill have been requesting that we get a permanent cyber director and we are definitely in line with that and hope that that will help in the long run to have a consistent one leader that will be able to take this implementation strategy from its beginning to effectively implementing it.
Eric White Yeah. And what does a successful implementation plan look like? Is it just having a secure atmosphere for X amount of years or just hoping that there are no major events that come across any agency in the near future?
Marisol Cruz Cain I think it looks like being proactive, finding these new methods like zero trust and different methods we’ve been using to not only react to things that have happened, but to detect things before they happen in the future. You really can’t secure something by continuously just patching things that you found. We really need to get into, you know with CISA. CISA’s putting out their national security advisories and security advisories, letting agencies know we’ve had these problems. Take a look at your system. Evaluate where your system is so this doesn’t happen to you. So we’ve got to get into this groove of looking forward. What could happen this one thing. How does it relate to your system? How can you be proactive in protecting your systems from other incidents taking place? So it really looks like securing what we have now, but also continuously looking at your processes to make sure you’re looking into the future and you’re trying to protect from things that have not happened to you yet, but could. And also taking a look at our emerging technologies and how those fit into your agencies, but also how can we start using them securely so that we don’t start using them and then something happens and then we worry about security. So it’s really taking a proactive stance.
Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
Tom Temin is host of the Federal Drive and has been providing insight on federal technology and management issues for more than 30 years.
Follow @tteminWFED