AOH :: ISN-3213.HTM

GAO: Feds still lack security research agenda

GAO: Feds still lack security research agenda
GAO: Feds still lack security research agenda 

By John Monroe
Nov. 1, 2006

The federal government does a lot of research and development work in 
information security, but its efforts still lack a coherent focus, 
according to a Government Accountability Office report.

The primary problem is that the government has not developed an 
overarching R&D agenda, the report states. Numerous agencies are 
actively researching security issues, but they are not coordinating 
their work. Those agencies also need to do a better job of sharing 
information about their research with one another and with industry, 
according to GAO.

"Until these issues are addressed, federal research for cybersecurity 
and information assurance may not keep pace with the increasing number 
of threats and vulnerabilities," GAO auditors wrote in the cover letter 
to their report, provided to Rep. Tom Davis (R-Va.), chairman of the 
House Government Reform Committee.

The idea of a research agenda stems from the National Strategy to Secure 
Cyberspace, published in 2003. According to that report, the federal 
government should develop a road map for addressing identified gaps in 
security research.

The 2003 report recommends looking at research requirements in three 
segments: near term (one to three years), midterm (three to five years) 
and long term (five years or more). GAO auditors are not so concerned 
about near-term efforts. But the lack of an agenda "increase[s] the risk 
that mid- and longer-term research priorities may not be achieved," the 
GAO report states.

GAO says agencies have made some progress in recent years. For example, 
they created an interagency working group to focus on security research 
and published a federal plan for guiding their research.

But that plan falls short of being the comprehensive agenda the 
government requires, auditors concluded. The agenda should outline 
specific milestones for conducting research, specify goals and measures 
for evaluating that work, and assign responsibilities for carrying it 

GAO recommends that the director of the Office of Science and Technology 
Policy establish a timeline for developing such an agenda.

Visit the InfoSec News store! 

Site design & layout copyright © 1986-2015 CodeGods