Page 1 GAO-25-107943
Comptroller General
of the United States
September 2, 2025
The Honorable Sean Cairncross
Director
Office of the National Cyber Director
1600 Pennsylvania Ave NW
Washington, DC 20500
Priority Open Recommendations: Office of the National Cyber Director (ONCD)
Dear Director Cairncross:
Congratulations on your appointment. The purpose of this letter is to call your personal attention
to three open priority recommendations from GAO’s past work, which are enclosed.
1
Additionally, there is one other open GAO recommendation that we will continue to work with
your staff to address.
2
We are highlighting the following area that warrants your timely and focused attention:
Improving national cybersecurity strategies. ONCD needs to take additional steps to
improve various national strategies pertaining to cybersecurity. In March 2023, the White House
publicly issued a new National Cybersecurity Strategy, and subsequently published the
accompanying implementation plan in July 2023.
3
Additionally, ONCD, along with several other
federal entities, issued various documents contributing to an emerging national quantum
cybersecurity strategy. However, we previously reported that the National Cybersecurity
Strategy, including the National Cybersecurity Strategy Implementation Plan,
4
and the quantum
1
GAO considers a recommendation to be a priority if when implemented, it may significantly improve government
operations, for example, by realizing large dollar savings; eliminating mismanagement, fraud, and abuse; or making
progress toward addressing a high-risk or duplication issue.
2
GAO, Critical Infrastructure Protection: National Cybersecurity Strategy Needs to Address Information Sharing
Performance Measures and Methods. GAO-23-105468. (Washington, D.C.: September 26, 2023). We recommended
that ONCD should identify outcome-oriented performance measures for the eight cyber threat information sharing
initiatives that are included in the National Cybersecurity Strategy Implementation Plan.
3
The White House, National Cybersecurity Strategy, (Washington, D.C.: Mar. 2023) and National Cybersecurity
Strategy Implementation Plan (Washington, D.C.: July 2023).
4
GAO, Cybersecurity: National Cyber Director Needs to Take Additional Actions to Implement an Effective Strategy.
GAO-24-106916. (Washington, D.C.: Feb. 1, 2024).
