Federal cybersecurity strategy documents have assigned high-level roles and responsibilities but have left important details unclear, GAO has said.
It said for example that the chartering directives for several offices within DoD assign overlapping roles and responsibilities for preparing for and responding to domestic cyber incidents.
Last October, GAO recommended that the department update its guidance on preparing for and responding to domestic cyber incidents to include a description of its roles and responsibilities but it remains unclear how OMB and DHS are to share oversight of individual departments and agencies, according to GAO-13-187.
It said that while the law gives OMB responsibility for oversight of federal government information security, OMB transferred several of its oversight responsibilities to DHS.
Both DHS and OMB have issued annual Federal Information Security Management Act reporting instructions to agencies, which could create confusion among agency officials because the instructions vary in content, GAO said, adding that clarifying oversight responsibilities is a topic that could be effectively addressed through legislation.