The Government Accountability Office (GAO) released a new report indicating that the National Institute of Standards and Technology (NIST) can be doing a better job at implementing some of its key practices for its National Initiative for Cybersecurity Education (NICE) program.
The NICE program is a workforce program whose mission is to “energize, promote, and coordinate a robust community working together to advance an integrated ecosystem of cybersecurity education, training, and workforce development,” according to the program’s website.
“NIST’s process for assessing the NICE program included fully implementing the practice of involving stakeholders. However, other key practices for establishing a program-level performance process were not fully implemented,” the GAO report says.
The report found that out of the nine practices, “NIST fully implemented one, partially implemented five, and did not implement three.” Some practices that the program needs to apply for its success include using “data to assess progress towards goals and [identifying] any gaps,” as well as simply developing performance measures for the program overall.
Other partially implemented practices include assessing the program environment, “[tracking] information that is timely/accurate/useful,” and regularly communicating progress with stakeholders.
The report makes eight recommendations to develop the program’s goals. Specifically, GAO recommends that the director of NIST should ensure that the director of NICE:
- Develops a program performance plan with goals that are measurable;
- Updates the program’s environmental scan documentation to include an assessment of how the outcomes and impacts of the identified programs, projects, and initiatives may affect the program’s achievement of its performance plan and the strategic plan goals;
- Assesses and justifies the resources that the program requires to achieve its performance plan and the strategic plan goals;
- Establishes performance measures with a plan to collect the data needed to assess progress toward each performance goal;
- Regularly collects program performance information that is measurable, timely, accurate, and useful;
- Reports measurable program performance information to stakeholders;
- Assesses progress toward achieving program performance goals with measurable performance information; and
- Uses performance information to manage the program, including to identify opportunities to improve program results, as appropriate.
“Without reliable data to manage the NICE program’s performance, NIST is not in a position to effectively and efficiently identify obstacles or opportunities to sustain and improve the initiative,” states the report.
The Department of Commerce, which oversees NIST, concurred with all recommendations.