A new study from The Brookings Institution slams federal agencies for doing a poor job of making cybersecurity part of their strategic plans.
While federal officials tend to talk the right talk--it points to President Obama's cybersecurity plans outlined in his State of the Union Speech--federal agencies fail to back that talk up with action.
After passage of the Government Performance and Results Modernization Act of 2010, federal agencies were required to set out a strategic plan. The U.S. Department of Health and Human Services' plan is one of the most detailed at 125 pages--and also one of the most IT-focused. Overall, however, the study's authors call the focus on cybersecurity "abysmal," according to Kevin Desouza, associate dean for research at the college of public programs at Arizona State University and a non-resident senior fellow of Governance Studies at the Brookings Institution, in a blog post.
The Defense and Energy departments are notable exceptions, Desouza says. Overall, half of the federal agency strategic plans don't mention cybersecurity at all, and few discuss cybersecurity efforts in detail.
"The major issue that we uncovered was that even though the threats of attacks to critical infrastructure are at an all-time high, most of the agencies lack clear plans on how to invest in capabilities to actually deal with these threats and also in the agencies where they had clear plans or clear actions, there were no real performance evaluation metrics to actually uncover if these investments are actually going to pay off," Desouza tells Federal News Radio.
The Department of Veterans Affairs, which has suffered a number of embarrassing breaches, in November redirected $60 million to its cybersecurity efforts. However, a series of reports from the Inspector General continues to hammer the agency for its lack of discipline and accountability for effective oversight of its IT projects.