The Department of Homeland Security (DHS) has made progress in a number of areas to bolster the federal government’s and the nation’s cyber security protections but still hasn’t developed an implementation plan, or related performance metrics, for carrying out the eight-year-old National Strategy to Secure Cyberspace, according to the department’s Inspector General (IG).

In a new report, the IG says that the DHS Cybersecurity and Communications (CS&C) office has “made progress in security cyber space and critical infrastructures,” in part by reaching out to, and sharing information with, critical infrastructure owners and operators in the private and public sectors and with international partners.

CS&C has also raised the public’s awareness of cyber security issues, including working with the private sector and state and local governments, and is promoting public and workforce education, says the report, Planning, Management and Systems Issues Hinder DHS’ Efforts to Protect Cyberspace and the Nation’s Cyber Infrastructure (OIG-11- 89).

The report also says that CS&C is actively helping defend the federal civilian government digital space through the Einstein intrusion detection system, various cyber security assessments and publishing of best practices and other tips.

The positives aside, the IG says that if CS&C had a plan to implement the 2003 National Strategy to Secure Cyberspace it “would help ensure that CS&C’s programs and processes align with its mission and national priorities to secure the nation’s critical cyber infrastructure, as outlined in the Quadrennial Homeland Security Review.” It also says that the office hasn’t developed a plan to carry out recommendations and goals in the National Strategy, the National Infrastructure Protection Plan and the Comprehensive National Cybersecurity Initiative.

The report also says that CS&C hasn’t developed metrics to measure its progress in boosting cyber security and critical infrastructure protection.

“The use of performance metrics is a critical step in the risk management process to enable DHS and sector-specific agencies to assess improvements in CIKR (Critical Infrastructure and Key Resources) protection and resiliency at the national and sector levels objectively and qualitatively,” says the IG.