Of the 24 near- and mid-term action items listed in President Obama's May 2009 cyber policy review, only two are fully implemented and both involved appointments within the National Security Council, says the Government Accountability Office.

Twenty-two items are partially implemented, and of those, 16 have no specific milestones or implementation plans, according to the GAO report, released Oct. 6 but based on briefings the watchdog agency gave Congress in early August.

Until schedules, roles and responsibilities are clarified and the planning shortfalls are addressed, "there is increased risk the recommendations will not be successfully completed, which would unnecessarily place the country's cyber infrastructure at risk," the report says.

Agencies involved in implementing the recommendations told GAO auditors that progress has been slow because the cybersecurity coordinator has yet to clearly assign roles and responsibilities. The position, now held by Howard Schmidt, was vacant for seven months after the cyber policy review, which may have delayed agency engagement.

Agency officials also told the GAO that some of the partially-completed items will likely remain that way for some time, since they will require action over multiple years. For example, the recommendation to "expand sharing of information about network incidents and vulnerabilities with key allies is very broad [and] will require additional guidance," said the GAO report.

The report recommends that Schmidt designate roles and responsibilities, and develop milestones and plans for the recommendations that lacked key planning elements. While the cyber coordinator's office added no comments or recommendations to the report, Rep. Bennie G. Thompson (D-Miss.), chairman of the Homeland Security Committee, said the findings were "troubling" in a prepared reaction to the GAO's findings. Thompson urged Schmidt to immediately act on the recommendations of the report.

For more:
- see the report, GAO-11-24 (.pdf)
- see Thompson's press release

Related Articles:
Ross: Agencies should better manage cybersecurity risk
Congress wants to know: Does NASA protect its info systems?
Gen. Alexander outlines state of CYBERCOM, requests funds and clear authorities
Marrying cybersecurity education and agency needs a challenge