GAO Urges NCCIC to Develop Metrics, Process for Evaluating Cybersecurity Performance
The Department of Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC) is generally performing the 11 cybersecurity functions required under the 2014 National Cybersecurity Protection Act (NCPA) but must fully establish metrics and a method for evaluating its performance,…
Sign up for a free preview to unlock the rest of this article
Communications Daily is required reading for senior executives at top telecom corporations, law firms, lobbying organizations, associations and government agencies (including the FCC). Join them today!
GAO reported Wednesday. NCCIC is charged under NCPA and the 2015 Cybersecurity Act with acting as the main federal civilian portal for cybersecurity-related information sharing and manages a range of programs related to monitoring and mitigating for cybersecurity vulnerabilities (see 1412100052 and 1512160068). NCCIC hasn't “determined the applicability” of NCPA-required implementation principles to all of its required cybersecurity functions nor “established metrics and methods by which to evaluate its performance against the principles,” GAO said. “Until NCCIC determines the applicability of the principles to its functions and develops metrics and methods to evaluate its performance against the principles, the center cannot ensure that it is effectively meeting its statutory requirements.” GAO also said a range of factors is impeding NCCIC from “efficiently” performing its role, including an inability to “completely track and consolidate cyber incidents reported to the center.” NCCIC doesn’t have “ready access” to the contact information for all owners and operators of cyber-dependent critical infrastructure entities, GAO said. DHS agreed to GAO recommendations.