National cybersecurity plans lack performance measures and estimated costs, GAO says | CyberScoop<\/title> <meta name=\"description\" content=\"In response to the watchdog\u2019s report, the Office of the National Cyber Director said that performance measures don't really exist in the cybersecurity field.\"> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/gao-national-cybersecurity-strategy\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"National cybersecurity plans lack performance measures and estimated costs, GAO says\"> <meta property=\"og:description\" content=\"In response to the watchdog\u2019s report, the Office of the National Cyber Director said that performance measures don't really exist in the cybersecurity field.\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/gao-national-cybersecurity-strategy\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:published_time\" content=\"2024-02-01T20:18:27+00:00\"> <meta property=\"article:modified_time\" content=\"2024-02-02T14:49:15+00:00\"> <meta property=\"og:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/02\/national-cybersecurity-plans-lack-performance-measures-and-estimated-costs-gao-says-2.jpg\"> <meta property=\"og:image:width\" content=\"1920\"> <meta property=\"og:image:height\" content=\"1280\"> <meta property=\"og:image:type\" content=\"image\/jpeg\"> <meta name=\"author\" content=\"Christian Vasquez\"> <meta name=\"twitter:card\" content=\"summary_large_image\"> <meta name=\"twitter:creator\" content=\"@chrismvasq\">  <link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-2\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1706643139g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/_static\/??\/wp-content\/mu-plugins\/search\/elasticpress-next\/dist\/css\/related-posts-block-styles.min.css,\/wp-content\/plugins\/embedpress\/Gutenberg\/dist\/blocks.style.build.css?m=1706739156\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-8\" href=\"https:\/\/cyberscoop.com\/_static\/??\/wp-content\/plugins\/embedpress\/assets\/css\/embedpress.css,\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1706739156\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=b50a7fc68d02387a0cbc\" media=\"all\">\n<link rel=\"stylesheet\" id=\"all-css-10\" href=\"https:\/\/cyberscoop.com\/_static\/??\/wp-includes\/css\/dashicons.min.css,\/wp-content\/plugins\/embedpress\/assets\/css\/plyr.css?m=1706739156\" type=\"text\/css\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/79027\"><link rel=\"EditURI\" type=\"application\/rsd+xml\" title=\"RSD\" href=\"https:\/\/cyberscoop.com\/xmlrpc.php?rsd\">\n<meta name=\"generator\" content=\"WordPress 6.4.3\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=79027\">\n<link rel=\"alternate\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fgao-national-cybersecurity-strategy%2F\">\n<link rel=\"alternate\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fgao-national-cybersecurity-strategy%2F&format=xml\">   <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"post-template-default single single-post postid-79027 single-format-standard\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/gao-national-cybersecurity-strategy\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--newsletter js-stickybar\" readability=\"0.82\"> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"24.880813953488\">\n<div class=\"single-article__header-content\" readability=\"30.866894197952\">\n<ul class=\"single-article__eyebrow\">\n<li class=\"single-article__category\"> <a class=\"single-article__category-link\" href=\"https:\/\/cyberscoop.com\/news\/government\/\"> <span>Government<\/span> <\/a> <\/li>\n<\/ul>\n<p> In response to the watchdog\u2019s report, the Office of the National Cyber Director said that performance measures don’t really exist in the cybersecurity field. <\/p>\n<\/p><\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"426\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/02\/national-cybersecurity-plans-lack-performance-measures-and-estimated-costs-gao-says.jpg?resize=640%2C426&ssl=1\" class=\"single-article__cover-image wp-post-image\" alt decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/02\/national-cybersecurity-plans-lack-performance-measures-and-estimated-costs-gao-says-2.jpg 1920w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/02\/national-cybersecurity-plans-lack-performance-measures-and-estimated-costs-gao-says-2.jpg?resize=300,200 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/02\/national-cybersecurity-plans-lack-performance-measures-and-estimated-costs-gao-says-2.jpg?resize=768,512 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/02\/national-cybersecurity-plans-lack-performance-measures-and-estimated-costs-gao-says-2.jpg?resize=1024,683 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/02\/national-cybersecurity-plans-lack-performance-measures-and-estimated-costs-gao-says-2.jpg?resize=1536,1024 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/02\/national-cybersecurity-plans-lack-performance-measures-and-estimated-costs-gao-says-2.jpg?resize=600,400 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/02\/national-cybersecurity-plans-lack-performance-measures-and-estimated-costs-gao-says-2.jpg?resize=252,168 252w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/02\/national-cybersecurity-plans-lack-performance-measures-and-estimated-costs-gao-says-2.jpg?resize=506,337 506w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/02\/national-cybersecurity-plans-lack-performance-measures-and-estimated-costs-gao-says-2.jpg?resize=1013,675 1013w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/02\/national-cybersecurity-plans-lack-performance-measures-and-estimated-costs-gao-says-2.jpg?resize=1265,843 1265w\" sizes=\"(max-width: 1013px) 100vw, 1013px\"><figcaption> The White House in Washington, D.C. (Getty Images) <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"38.965418854143\"><body readability=\"79.514498141264\"><\/p>\n<p>The Office of the National Cyber Director has work to do to improve the implementation of President Joe Biden\u2019s national cybersecurity strategy, according to a watchdog report.<\/p>\n<p>The Government Accountability Office said in a <a href=\"https:\/\/www.gao.gov\/products\/gao-24-106916?utm_medium=social&utm_source=twitter&utm_campaign=usgao\">report released Thursday<\/a> that the <a href=\"https:\/\/cyberscoop.com\/biden-national-cybersecurity-strategy-2023\/\">national cybersecurity strategy<\/a> lacks performance measures and estimated costs, which the watchdog believes is essential for a national strategy.<\/p>\n<p>The GAO said that \u201cneither the strategy nor the implementation plan included outcome-oriented performance measures for the initiatives or for the overall objectives of the strategy to gauge success.\u201d The initiatives outlined in the <a href=\"https:\/\/cyberscoop.com\/national-cybersecurity-strategy-implementation-plan-2\/\">implementation plan<\/a> include milestones and expected completion dates, but lacked assessments in \u201cthe extent to which the initiatives are achieving outcome-oriented objectives\u201d like information sharing or updated federal cyber defenses, GAO said.<\/p>\n<p>ONCD staff told the GAO said it wasn\u2019t actually feasible to develop outcome-oriented measures, simply because those measures do not yet exist in the broader cybersecurity field. \u201cThey acknowledged the value of having meaningful outcome-oriented performance measures to assess cybersecurity effectiveness but stated that such measures do not currently exist in the cybersecurity field in general,\u201d the GAO wrote.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>ONCD said that \u201cthis open research problem remains one of significant interest.\u201d<\/p>\n<p>The GAO said that developing performance measures is possible in specific instances. For example, measuring the number of alerts sent out based on incident reporting, which will soon be required after the Cybersecurity and Infrastructure Security Agency issues the final rule for the Cyber Incident Reporting for Critical Infrastructure Act. ONCD \u201ccould survey users of these threat information products to determine what specific impacts these products had on the security of their networks,\u201d the GAO wrote.<\/p>\n<p>Without performance measures, the ONCD limits the ability to show the effectiveness of the strategy, the GAO said. OCND accepted GAO\u2019s recommendation to assess initiatives that have outcome-oriented performance measures.<\/p>\n<p>Additionally, the strategy and implementation plan lacks details on the cost of the initiatives. ONCD staff told the watchdog that estimating costs is \u201cunrealistic goal due to the current nature of the budget process,\u201d as costs could be in an agency\u2019s baseline budget. Again, the GAO said that the office should still provide estimations where applicable.<\/p>\n<p>ONCD said that it does not concur with cost estimates recommendation. ONCD noted in its response that it and the Office of Management and Budget issue an annual memorandum to federal department and agency heads detailing the administration\u2019s priority and budgets are allocated from the memo.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>\u201cWithout outcome-based performance measures, ONCD and its stakeholders will be limited in gauging the effectiveness of actions taken to implement the strategy,\u201d the GAO wrote. \u201cFurther, without estimating the costs of implementing applicable initiatives, ONCD and other implementing agencies will be challenged in ensuring that adequate resources are available for those initiatives.\u201d<\/p>\n<p>An ONCD spokesperson said in a statement that the office \u201cappreciates GAO\u2019s longstanding interest in cybersecurity challenges facing the U.S. government and our nation, and the work that went into preparing this report. We are aggressively and effectively implementing the President\u2019s National Cybersecurity Strategy and have published an implementation plan to ensure transparency, and accountability. <\/p>\n<p>\u201cExtensive interagency and private sector coordination will help to achieve our goals: shifting the responsibility of cybersecurity away from individuals, small business and local governments to the largest, most capable actors, and realigning incentives to favor long-term investments in security, resilience, and promising new technologies.\u201d<\/p>\n<p><strong><em>This article was updated Feb. 2, 2024, with a statement from the ONCD.<\/em><\/strong><\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\" readability=\"1.4666666666667\">\n<div class=\"author-card\" readability=\"9\">\n<div class=\"author-card__avatar\">\n<figure class=\"author-card__image-wrap\"> <img data-recalc-dims=\"1\" decoding=\"async\" class=\"author-card__image\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/02\/national-cybersecurity-plans-lack-performance-measures-and-estimated-costs-gao-says-1.jpg?w=640&ssl=1\" alt=\"Christian Vasquez\"> <\/figure>\n<\/p><\/div>\n<p><h4 class=\"author-card__name\">Written by Christian Vasquez<\/h4>\n<p> Christian covers industrial cybersecurity for CyberScoop News. He previously wrote for E&E News at POLITICO covering cybersecurity in the energy sector. Reach out: christian.vasquez at cyberscoop dot com <\/p>\n<\/p><\/div>\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<div class=\"popular-stories popular-stories--single-post\">\n<div class=\"popular-stories__container\">\n<h2 class=\"popular-stories__title\"> More Scoops <\/h2>\n<p>  <\/div>\n<p>\n<\/div>\n<p> <\/p>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Geopolitics<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p>   <\/body> <a href=\"https:\/\/cyberscoop.com\/gao-national-cybersecurity-strategy\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>National cybersecurity plans lack performance measures and estimated costs, GAO<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1292,1371,117,520,521,439,639],"tags":[1298,1374,119,523,524,443,641],"class_list":["post-2474","post","type-post","status-publish","format-standard","hentry","category-gao","category-gao-report","category-government","category-national-cybersecurity-strategy","category-office-of-the-national-cyber-director","category-policy","category-white-house","tag-gao","tag-gao-report","tag-government","tag-national-cybersecurity-strategy","tag-office-of-the-national-cyber-director","tag-policy","tag-white-house"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/gao\/\" rel=\"category tag\">GAO<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/gao-report\/\" rel=\"category tag\">GAO report<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/government\/\" rel=\"category tag\">Government<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/national-cybersecurity-strategy\/\" rel=\"category tag\">National Cybersecurity Strategy<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/office-of-the-national-cyber-director\/\" rel=\"category tag\">Office of the National Cyber Director<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/policy\/\" rel=\"category tag\">Policy<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/white-house\/\" rel=\"category tag\">White House<\/a>","tag_info":"White House","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/2474","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=2474"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/2474\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=2474"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=2474"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=2474"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":2474,"date":"2024-02-01T20:18:27","date_gmt":"2024-02-01T20:18:27","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=79027"},"modified":"2024-02-01T20:18:27","modified_gmt":"2024-02-01T20:18:27","slug":"national-cybersecurity-plans-lack-performance-measures-and-estimated-costs-gao-says","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2024\/02\/01\/national-cybersecurity-plans-lack-performance-measures-and-estimated-costs-gao-says\/","title":{"rendered":"National cybersecurity plans lack performance measures and estimated costs, GAO says"},"content":{"rendered":"