“Shortcomings persist in assessing risks, developing and implementing security programs, and monitoring results at federal agencies,” the GAO contends. “This is due in part to the fact that agencies have not fully implemented information security programs, resulting in reduced assurance that controls are in place and operating as intended to protect their information resources.”
Other major problems include lack of cybersecurity guidance for federal agencies, variances in the degree to which agencies must comply with specific cybersecurity regulations, the lack of a centralized information sharing system, and failure of the Department of Homeland Security to fully develop predictive analysis of cyber threats.
Consequently, there remains no coherent and comprehensive national strategy, and little coordination among federal agencies. “The federal cybersecurity strategy has evolved over the past decade with the issuance of several strategy documents and other initiatives that address aspects of these challenge areas,” according to the GAO testimony. “However, there is no overarching national cybersecurity strategy that synthesizes these documents or comprehensively describes the current strategy. In addition, the government’s existing strategy documents do not always incorporate key desirable characteristics GAO has identified that can enhance the usefulness of national strategies.”
The testimony is available here.