CNCS has devoted significant resources to improving cybersecurity over the past few years, with meaningful progress. Although its information security program is not yet sufficiently mature, it can reach effectiveness with continued effort and investment.
Achieving effectiveness will require attention to weaknesses that pose significant risks to information security. Our 2017 evaluation found inadequacies in risk management, configuration management, identity and access management, information security continuous monitoring, and contingency planning. Enforcement of information security is inconsistent across the enterprise, with field components remaining especially vulnerable. These continuing vulnerabilities leave CNCS operations and assets at risk of unauthorized access, misuse and disruption. Our report offers 34 recommendations to address the identified weaknesses and assist CNCS in strengthening its information security program. Eight of the recommendations relate to prior findings that have not been completely addressed by CNCS.