White House doesn't shine in cybersecurity grading

The Obama administration has received less-than-stellar marks in a recent report card on its cybersecurity policies, earning grades in the B to D range.  

The National Security Cyberspace Institute examined the administration’s record of cybersecurity accomplishments in a white paper published Jan. 18.

NSCI awarded grades for progress against 10 near-term recommendations included in the White House’s 60-day Cyberspace Policy Review released in 2009.

Related story:

DISA creates 'demilitarized zone' for unclassified network

“We awarded grades solely on our view of actual progress – not on good intentions, flowery rhetoric, the number of meetings held, commissions commissioned, or number of times administration officials have mentioned the word ‘cyber,’ ” NSCI wrote.

None of the White House’s near-term action items received an A, for full implementation, or an F, for no progress shown.

NSCI gave the administration a B for designating cybersecurity as one of the president’s key management priorities and establishing performance metrics, noting its recently announced update to the Federal Information Security Management Act. The update shifts the focus from paper-based compliance reports to real-time monitoring of federal networks, according to the institute.

“The change in approach provides for faster identification and response to vulnerabilities,” the white paper states. “The administration believes the new approach builds on best practices from both government and industry, thus making our cybersecurity efforts more effective.”

NSCI also gave the administration a B for a lack of substantial progress in conducting interagency legal analyses of priority cybersecurity-related issues and formulating coherent policy guidance that clarifies the roles, responsibilities and application of agency authorities for cybersecurity-related activities across the federal government.

The administration received a D for the months of delay in appointing Howard Schmidt to the cybersecurity coordinator position, as well as another D for failing to release an updated national strategy to secure the information and communications infrastructure.

NSCI further chose to give the administration a B for continuing the dialogue on international cybersecurity agreements. But the White House earned a C for moving too slowly in preparing a cybersecurity incident response plan and enhancing public-private partnerships.

“In September 2010, the Department of Homeland Security released an interim version of a National Cyber Incident Response Plan, a mere 16 months after President Obama’s declaration of cybersecurity as a top administration priority,” NSCI wrote. “That’s hardly a fast-track agenda.”

The White House also scored a C for not living up to its responsibility to coordinate a national cybersecurity research and development agenda, according to the white paper.