- While the Department of Homeland Security (DHS) has worked toward implementing necessary cybersecurity measures in its National Cybersecurity and Communications Integration Center (NCCIC), there are still factors impeding its efficiency and effectiveness, the Government Accountability Office (GAO) found.
NCCIC is required to by the National Cybersecurity Protection Act of 2014 and the Cybersecurity Act of 2015 to perform 11 cybersecurity-related functions. This includes sharing information and enabling real-time actions to address cybersecurity risks and incidents at federal and non-federal entities, GAO explained in a recent report.
These functions must adhere to nine implementing principles. However, NCCIC has not yet determined how those principles apply to all 11 functions. Several instances were identified where cybersecurity functions were not performed in accordance with the principles as well.
“Until NCCIC takes steps to overcome these impediments, it may not be able to efficiently perform its cybersecurity functions and assist federal and nonfederal entities in identifying cyber-based threats, mitigating vulnerabilities, and managing cyber risks,” the report’s authors wrote.
GAO added that while NCCIC has taken necessary steps to perform its required cybersecurity functions, “the extent to which NCCIC carried out these functions in accordance with the nine principles” is unclear because the center has not evaluated its performance consistently.
“Nevertheless, NCCIC has limited assurance that it is fully meeting statutory requirements and efficiently performing its cybersecurity functions because it has not completely evaluated its performance against the principles or addressed the impediments to performing its cybersecurity functions,” the report stated.
One of the required 11 functions is that NCCIC must coordinate information sharing across the federal government in relation to “cyber threat indicators, defensive measures, cybersecurity risks and incidents.”
“According to NCCIC officials, the center relies on the NCCIC Portal as a mechanism to coordinate the sharing of these products to customers,” GAO explained. “Specifically, the portal is comprised of 35 compartments, which include customers across the globe, and within government and various critical infrastructures.”
Another required function is that NCCIC must “facilitate cross-sector coordination to address cybersecurity risks and incidents.” In this regard, NCCIC has six products and services in place to support the function.
“For example, the center facilitates cross-sector coordination to address cybersecurity risks and incidents through its Industrial Control Systems Joint Working Group and its Incident Notifications,” the report’s authors wrote.
Risk management support, along with timely technical assistance are also a required NCCIC function. This is where the United States Computer Emergency Readiness Team (US-CERT) comes into play, as it is one of the four NCCIC branches.
“In addition, to support risk management, the center conducted, as services, Risk and Vulnerability Assessments, which are activities to assist entities in developing strategies for improving their cybersecurity posture,” GAO said. “According to officials, NCCIC attempts to provide a report of its findings to the requesting entity within 30 days of the assessment.”
All of the principles must ensure that there are industry sector-specific, academic, and national laboratory expertise utilized in the proper scenarios. Furthermore, “the information related to cybersecurity risks and incidents [must be] appropriately safeguarded against unauthorized access; and shared information is timely, actionable, and relevant to risks, incidents, and analysis.”
It is not always clear how NCCIC has been implementing the necessary cybersecurity measures.
GAO also reported that there were instances where the cybersecurity functions were not performed in line with the required principles.
“In addition to NCCIC not having made a complete determination of how it is adhering to the principles, a number of factors impede the center’s ability to more efficiently perform several of its cybersecurity functions,” the report’s authors concluded.
There were impediments found with tracking security incidents, maintaining current and reliable customer information, working across multiple network platforms, and collaborating with international partners.
In response, DHS explained in a letter that it agrees with all of GAO’S recommendations and described how it would be making changes to better adhere to them.
“DHS remains committed to protecting our Nation’s critical infrastructure from physical and cyber threats,” the letter stated. “Protecting these systems is essential to the resilience and reliability of the Nation’s critical infrastructure and key resources; therefore, to our economic and national security. The NCCIC is critical to these efforts.”