Custom-made Awareness Raising to enhance Cybersecurity Culture

Agency News, Association News, Cyber Security CII sector, Industry News
The European Union Agency for Cybersecurity (ENISA) empowers organisations by publishing the updated version of the ‘Awareness Raising in a Box’.
Advanced protection of systems and a robust cybersecurity strategy have become a priority for all kinds of organisations, as cybersecurity issues and threats have evolved to be increasingly sophisticated and pervasive. Thus, awareness raising activities and having a relevant methodology in place are a fundamental to integrating cybersecurity in the organisational culture. With a view to achieve this goal, applying game design elements in cybersecurity awareness activities can simplify familiarisation with terms and concepts through a hands-on experience and motivate employees’ participation.
To test the new edition of the all-in-one toolkit, ENISA piloted the Awareness Raising in a Box (AR-in-a-BOX) with the Cypriot Digital Security Authority and the Cypriot National Coordination Centre.
The Head of the Cypriot Digital Security Authority, Diamantis Zafeiriades, highlighted that "The Digital Security Authority (DSA) and the Cyprus National Coordination Centre for Cybersecurity (NCC-CY) is proud to be working along with the European Union Agency for Cybersecurity (ENISA) to test and promote the Awareness Raising in a Box’ (AR-in-a-BOX), which aims to boost knowledge on cybersecurity awareness techniques. Acknowledging that cyber resilience is a constant training journey for the unpredictable, we are committed to support such initiatives on an ongoing basis."
AR-in-a-Box allows professionals from small and medium (SMEs) to big enterprises and public or private entities, to improve their knowledge on cybersecurity awareness techniques. This comprehensive toolkit offers a blend of theoretical frameworks and practical resources, enabling organisations to craft tailored cybersecurity awareness programmes, including gamification of content.
Notably, the updated version features an online Cyber Awareness Game accessible through the EU ACADEMY.
The updated version of AR-in-a-Box includes the existing catalogue of instructions, games and activities but has also been enriched with the addition of a new guide for the development of internal and external cyber crisis communication plans.
The cyber crisis communication guide aims to help organisations and experts improve their communicational preparedness and response, in times of a cybersecurity crisis. As such incidents may impact several aspects of their operations, the guide provides a holistic approach on their protection and mitigation of risks and damages.
Leave a comment

Geopolitics Accelerates Need For Stronger Cyber Crisis Management

Agency News, Cyber Security CII sector, Industry News

ENISA publishes a study on ‘Best Practices for Cyber Crisis Management’ that assists in preparation for crisis management. The study was conducted for the EU Cyber Crisis Liaison Organisation Network (CyCLONe) and is now available publicly.

The geopolitical situation continues to impact the cyber threat landscape also within the European Union. Planning for expected or unexpected threats and incidents is vital for good crisis management.
EU Agency for Cybersecurity Executive Director, Juhan Lepassaar underlined that “Sharing best practices for Member States is a step in successfully strengthening cyber crisis management. This report serves as a tool to assist with implementing the provisions of the NIS2 Directive. Crisis management processes for business continuity are paramount.”

The study outlines the framework and circumstances with cyber crisis scenarios and proposes a series of best practices that will enable the transition into the new requirements of NIS2 Directive, the EU-wide legislation on cybersecurity. The study aims to bring a heterogeneous ecosystem towards stronger harmonisation.

The proposed best practices are clustered into the four phases of the cyber crisis management cycle (prevention, preparedness, response and recovery) and refer to issues arising during each stage with an all-hazards approach.

Concluding with a list of recommendations, ENISA proposes steps to improve Member States’ capacity-building and operational cooperation in the context of cyber crisis management.

Cyber Crisis Management Framework through NIS2
The long history of the EU regarding cybersecurity, and particularly cyber crisis, proves its commitment in building a solid legislative framework to safeguard Member States from emerging threats. Built upon the first directive on Network and Information Security (NIS) that was set in 2016, the NIS2 entry into force marks a transformative period in the field of cybersecurity in the EU due to the new, upgraded provisions and obligations for Member States to incorporate into their national legislation. A key change brought by the adoption of NIS2 includes the reinforced role of ENISA in coordinating cybersecurity actors, such as EU-Cyber Crises Liaison Organisation Network (EU-CyCLONe) and the EU CSIRTs Network.

The European cyber crisis liaison organisation network (EU-CyCLONe)
Under NIS2 Directive, ENISA’s mandate has a role as the secretariat for Cyber Crises Liaison Organisation Network (EU CyCLONe), a network dedicated to enhance Member States’ national authorities’ cooperation in cyber crisis activities and management.

The network collaborates and develops information sharing and situational awareness based on the support and tools provided by ENISA. The network is chaired in turns by a representative from the Presidency of the Council of the EU.

Formed by the representatives of Member States’ cyber crisis management authorities, the EU CyCLONe intervenes together with the European Commission in case of large-scale cybersecurity incidents likely to have a significant impact on services and activities falling into the scope of the NIS2. ENISA also supports the organisation of exercises for EU CyCLONe members, such as CySOPex (played by officers) and as, in this case, BlueOLEx (played by executives).

ENISA pioneers the development of proper mechanisms and consistency for cyber incidents, crisis management and conducting cyber exercises. ENISA is tasked to roll-out the implementation of the Cybersecurity Support Action in 2022 that includes the provision of support to Member States to further mitigate the risks of large-scale cybersecurity incidents in the short term.

Leave a comment

Shaping Cybersecurity Policy towards a trusted and secure Europe

Agency News, Cyber Security CII sector, Industry News
European Union Agency for Cybersecurity (ENISA),the European Commission (DG CNECT) and the Belgian presidency of the Council of the European Union organised the 2nd EU Cybersecurity Policy Conference.
This year significant attention was dedicated to the ongoing implementation process of the latest EU cybersecurity policies, both from the national and EU perspective. Against the backdrop of evolving geopolitical developments and the ever-shifting cyber threat landscape, discussions also touched upon the complexities and hurdles within the cybersecurity world and how they will eventually shape the policy priorities.
The first panel covered the deployment of Active Cyber Protection (ACP) measures by Member States within the existing EU legislation and policy framework and the means to boost it by building smart regulatory mechanisms and collaborative implementation.
The second round of discussions addressed market and product challenges, and particularly the digital product and services certification requirements that have attracted the attention of the cybersecurity community.
The topic of certification was also approached in the light of the skills gap that we are facing and its link with building cyber resilience in the EU. On the occasion of the Cybersecurity Certification week and the current progress on the matter, the EU Agency for Cybersecurity is also holding the Annual Cybersecurity Certification Conference on in Brussels.
The Belgian State Secretary for Digitalisation, Mathieu Michel, highlighted that “Cybersecurity and its future policy is a topic of the utmost importance for Belgium, and for Europe, because it is a cornerstone for our future digital and economic growth. I don’t think it is a coincidence that our overall Presidency motto ‘Protect, Strengthen, and Prepare’, is so central to cybersecurity in general. In a world where technology is evolving at a rapid pace, where cyber threats are multiplying and becoming more complex, it is imperative that we adapt our cybersecurity approach to address unprecedented challenges. A flexible, adaptable, and proactive approach to cybersecurity is the guarantee to create vital trust in the ongoing digital transformation, and to make sure that new technologies are secure.”
EU Agency for Cybersecurity Executive Director, Juhan Lepassaar, stated that “Implementing the cybersecurity legal framework of the last two years and ensuring the operational capabilities to deal with emerging cyber challenges will be our measure of success. These ongoing discussions will enable the Agency to propose recommendations in the first ever State of Cybersecurity in the Union report that will direct Europe's strategic mission for a high common level of cybersecurity.”
Among the themes of the conference was the implementation process of the NIS2 Directive provisions and its impact on critical infrastructure sectors, the necessity for more synergies between defence and civilian cybersecurity communities, as well as the emergence of global cybersecurity threats, combined with the rise of new technologies, such as AI, and how policy foresight in this domain might contribute towards better cybersecurity preparedness.
In 2023, ENISA developed the NIS 360 methodology to do an assessment of NIS sectors on an annual basis, to understand better their overall maturity, criticality and to identify areas for improvement. The first edition covered 10 NIS sub-sectors. The policy framework in the finance sector is the most mature, while the telecoms, digital infrastructure, trust and finance sectors are scoring the highest in risk management.
Leave a comment

EGNOS offers increased resiliency against peak solar flares

Agency News, Industry News
EGNOS, Europe's regional satellite-based augmentation system (SBAS), helps improve the performance of GNSS systems like GPS and Galileo. It does this by using GNSS measurements taken by accurately located reference stations deployed across Europe. All measured GNSS errors are transferred to a central computing centre where differential corrections and integrity messages are calculated. These calculations are then broadcast over the covered area using geostationary satellites that serve as an augmentation, or overlay, to the original GNSS message.
As a result, EGNOS improves the accuracy and reliability of GNSS positioning information – even during such anomalies as a solar flare. In fact, during the 24 March solar flare event, EGNOS recorded good performance. EGNOS Safety-of-life Service performance dropped slightly in the far north of Finland and Norway, down to 98%. Users in the area were more likely to notice the aurora borealis lighting up the sky than any issue with their positioning information.
Just as Solar Cycle 25 continues to ramp up, so too does EGNOS. The latest system upgrade offers increased resilience against peak solar activity, amongst other advanced functionalities.
Leave a comment

CISA Unveils New Public Service Announcement – We Can Secure Our World

Agency News, Cyber Security CII sector, Industry News, Power/Energy/Oil & Gas sector, Telecomms sector, Transport sector
Cybersecurity and Infrastructure Security Agency (CISA) has launched We Can Secure Our World, the second PSA in its Secure Our World cybersecurity public awareness program. The PSA will be promoted widely across the U.S. on television, radio, digital ads, retail centers, social media platforms, and billboards throughout 2024. We Can Secure Our World builds on the success of CISA’s first ever public service announcement (PSA) which launched in September 2023.
A Pew Research Center survey conducted last year shows that 95% of American adults use the internet, 90% have a smartphone and 80% subscribe to high-speed internet at home. Additionally, the survey also reported nearly 70% of children and adolescents have been exposed to at least one cyber risk in the past year. With cyber threats increasing among Americans of all ages, CISA is working to empower all Americans to protect themselves from hackers getting into their devices through easy steps that anyone can do anywhere and anytime.
The Secure Our World cybersecurity public awareness program, initially launched in September 2023, with its first PSA receiving nearly 20,000 views on YouTube, and educational materials including “How to” videos and tip sheets, were downloaded approximately 50,000 times. CISA also had a video that aired at the NFL Experience in the week leading up to the Super Bowl. CISA had a Super Bowl-related social media campaign that garnered more than 200,000 views and reached audiences spanning America’s diverse population.
The Secure Our World program is designed to educate and empower individuals to take proactive steps in safeguarding their digital lives. Tapping into the nostalgia of beloved musical cartoon series from the 1970s and 1980s, the new PSA features lovable character Max from the first PSA and introduces “Joan the Phone” who teaches us how to stay safe online. Through engaging messaging encouraging simple steps to protect ourselves online, the program aims to raise awareness about the importance of cybersecurity and empower individuals to adopt best practices to mitigate online risks.
“Basic cyber hygiene prevents 98% of cyber attacks—why we’re on a mission to make cyber hygiene as common as brushing our teeth and washing our hands. BUT(!) “cyber” anything can seem overly technical and complicated to the vast majority of Americans from K through Gray—why we’re also on a mission to make such information more accessible,” said CISA Director Jen Easterly. “As someone who grew up with Saturday morning cartoons, I am super excited about what we’ve done with our new Secure Our World PSA to leverage a recognizable educational medium to promote cybersecurity best practices. We’re really excited to take public awareness of cyber safety to a whole new level of creativity.”
Leave a comment

CISA Announces Secure by Design Commitments from Leading Technology Providers

Agency News, Cyber Security CII sector, Industry News
CISA has announced voluntary commitments by 68 of the world’s leading software manufacturers to CISA’s Secure by Design pledge to design products with greater security built in.
“More secure software is our best hope to protect against the seemingly never-ending scourge of cyberattacks facing our nation. I am glad to see leading software manufacturers recognize this by joining us at CISA to build a future that is more secure by design,” CISA Director Jen Easterly said. “I applaud the companies who have already signed our pledge for their leadership and call on all software manufacturers to take the pledge and join us in creating a world where technology is safe and secure right out of the box.”
A list of the 68 companies, including leading software manufacturers, participating in the pledge can be found at the Secure by Design Pledge page, and statements of support for the pledge can be read here.
By catalyzing action by some of the largest technology manufacturers, the Secure by Design pledge marks a major milestone in CISA’s Secure by Design initiative. Participating software manufacturers are pledging to work over the next year to demonstrate measurable progress towards seven concrete goals. Collectively, these commitments will help protect Americans by securing the technology that our critical infrastructure relies on.
“A more secure by design future is indeed possible. The items in the pledge directly address some of the most pervasive cybersecurity threats we at CISA see today, and by taking the pledge software manufacturers are helping raise our national cybersecurity baseline,” CISA Senior Technical Advisor Jack Cable said. “Every software manufacturer should recognize that they have a responsibility to protect their customers, contributing to our national and economic security. I appreciate the leadership of those who signed on and hope that every technology manufacturer will follow suit.”
The seven goals of the pledge are:
- Multi-factor authentication (MFA). Within one year of signing the pledge, demonstrate actions taken to measurably increase the use of multi-factor authentication across the manufacturer’s products.
- Default passwords. Within one year of signing the pledge, demonstrate measurable progress towards reducing default passwords across the manufacturers’ products.
- Reducing entire classes of vulnerability. Within one year of signing the pledge, demonstrate actions taken towards enabling a significant measurable reduction in the prevalence of one or more vulnerability classes across the manufacturer’s products.
- Security patches. Within one year of signing the pledge, demonstrate actions taken to measurably increase the installation of security patches by customers.
- Vulnerability disclosure policy. Within one year of signing the pledge, publish a vulnerability disclosure policy (VDP) that authorizes testing by members of the public on products offered by the manufacturer, commits to not recommending or pursuing legal action against anyone engaging in good faith efforts to follow the VDP, provides a clear channel to report vulnerabilities, and allows for public disclosure of vulnerabilities in line with coordinated vulnerability disclosure best practices and international standards.
- CVEs. Within one year of signing the pledge, demonstrate transparency in vulnerability reporting by including accurate Common Weakness Enumeration (CWE) and Common Platform Enumeration (CPE) fields in every Common Vulnerabilities and Exposures (CVE) record for the manufacturer’s products. Additionally, issue CVEs in a timely manner for, at minimum, all critical or high impact vulnerabilities (whether discovered internally or by a third party) that either require actions by a customer to patch or have evidence of active exploitation.
- Evidence of intrusions. Within one year of signing the pledge, demonstrate a measurable increase in the ability for customers to gather evidence of cybersecurity intrusions affecting the manufacturer’s products.
Each goal has core criteria which manufacturers are committing to work towards, in addition to context and example approaches to achieve the goal and demonstrate measurable progress. To enable a variety of approaches, software manufacturers participating in the pledge have the discretion to decide how best they can meet and demonstrate the core criteria of each goal, but progress should be demonstrated in public.
CISA’s global Secure by Design initiative, launched last year, implements the White House’s National Cybersecurity Strategy by shifting the cybersecurity burden away from end users and individuals to technology manufacturers who are most able to bear it. CISA urges software manufacturers to review CISA’s Secure by Design guidance and Secure by Design alerts to build security into their products.
Leave a comment

National Security Memorandum on Critical Infrastructure Security and Resilience

Agency News, Cyber Security CII sector, Health & Social Care, Industry News, Power/Energy/Oil & Gas sector, Space Sector, Telecomms sector, Transport sector, Water sector
On April 30, 2024, the White House National Security Council (NSC) published the National Security Memorandum (NSM) on Critical Infrastructure Security and Resilience. This memo builds on the important work that the Cybersecurity and Infrastructure Security Agency (CISA) and agencies across the federal government have been undertaking in partnership with America’s critical infrastructure communities for more than a decade. It also replaces Presidential Policy Directive 21 (PPD-21) on Critical Infrastructure Security and Resilience, which was issued more than a decade ago to establish national policy on critical infrastructure security and resilience.
Why Now?
Image of infrastructure-related icons over glowing, streaks of blue and white  lights
The threat environment has significantly changed since PPD-21 was issued, shifting from counterterrorism to strategic competition, advances in technology like Artificial Intelligence, malicious cyber activity from nation-state actors, and the need for increased international coordination. This change in the threat landscape, along with increased federal investment in U.S. critical infrastructure, prompted the need to update PPD-21 and issue the new memo.
The NSM will help ensure U.S. critical infrastructure can provide the nation a strong and innovative economy, protect American families, and enhance our collective resilience to disasters before they happen, strengthening the nation for generations to come. This NSM specifically:
- Empowers the Department of Homeland Security to lead a whole-of-government effort to secure U.S. critical infrastructure, with CISA acting as the National Coordinator for the Security and Resilience of U.S. Critical Infrastructure. The Secretary of Homeland Security will be required to submit to the President a biennial National Risk Management Plan that summarizes U.S. government efforts to mitigate risk to the nation’s critical infrastructure.
- Reaffirms the designation of 16 critical infrastructure sectors and establishes a federal department or agency responsible for managing risk within each of these sectors.
- Elevates the importance of minimum security and resilience requirements within and across critical infrastructure sectors, consistent with the National Cyber Strategy, which recognizes the limits of a voluntary approach to risk management in the current threat environment.
PPD-21 pre-dates the establishment of CISA. CISA actively engaged in updating the framework established by PPD-21 to detail how the U.S. government secures and protects critical infrastructure from cyber and physical threats.
CISA has already been working toward the goals of the NSM. We have already re-established the Federal Senior Leadership Council, which has made impressive strides through the FSLC’s robust collaboration model toward meeting our shared goals. When the FSLC was re-chartered, the group not only took on new authorities, but a heavy lift to inform how we define, modernize, and protect our critical infrastructure sectors.
Leave a comment

UK calls out China state-affiliated actors for malicious cyber targeting of UK democratic institutions and parliamentarians

Agency News, Cyber Security CII sector
The UK government has called out China state-affiliated actors today (Monday) for carrying out malicious cyber activity targeting UK institutions and individuals important to our democracy.
The National Cyber Security Centre – a part of GCHQ – assesses that the China state-affiliated cyber actor APT31 was almost certainly responsible for conducting online reconnaissance activity in 2021 against the email accounts of UK parliamentarians, most of whom have been prominent in calling out the malign activity of China.
Separately, the compromise of computer systems at the UK Electoral Commission between 2021 and 2022 has also been attributed to a China state-affiliated actor. The NCSC assesses it is highly likely the threat actors accessed and exfiltrated email data, and data from the Electoral Register during this time.
The data, in combination with other data sources, would highly likely be used by the Chinese intelligence services for a range of purposes, including large-scale espionage and transnational repression of perceived dissidents and critics in the UK.
To help bolster the UK’s cyber resilience, the NCSC has today published updated guidance in its Defending Democracy collection for political organisations – such as parties and thinktanks – and organisations coordinating the delivery of elections, with advice on how to reduce the likelihood of cyber attacks.
Paul Chichester, NCSC Director of Operations, said:
“The malicious activities we have exposed today are indicative of a wider pattern of unacceptable behaviour we are seeing from China state-affiliated actors against the UK and around the world.
“The targeting of our democratic system is unacceptable and the NCSC will continue to call out cyber actors who pose a threat to the institutions and values that underpin our society.
“It is vital that organisations and individuals involved in our democratic processes defend themselves in cyberspace and I urge them to follow and implement the NCSC’s advice to stay safe online.”
The cyber campaign against the parliamentary email accounts of members across both Houses of Parliament was identified and successfully mitigated by Parliament’s Security Department before any accounts could be compromised.
The compromise of systems at the UK Electoral Commission was made public last year after steps had been taken to remediate and recover, with support from the NCSC.
Leave a comment

New ITU clock concept for more resilient synchronization networks

Agency News, Industry News, Telecomms sector
Global navigation satellite systems (GNSS) provide precise timing for synchronization networks that are critical to mobile telecoms and data centres, power supply and smart grids, railway and road transport, and security and public safety.
Long disruptions to GNSS could be catastrophic without solutions to maintain precise timing. These solutions are provided by ITU standards, assuring network operators and regulators that precise time will keep ticking.
Common causes of GNSS disruptions:
- GNSS segment errors
- Adjacent-band transmitters
- GNSS spoofing
- Environmental interference
- GNSS jamming
The ITU standard G.8272.1 defines the enhanced Primary Reference Time Clock (ePRTC), the primary source of time synchronization worldwide.
The GNSS signal is typically used as time reference for this clock. The latest version of this international standard provides for the delivery of timing with accuracy better than 100 nanoseconds, for up to 40 days after a GNSS loss.
Network-wide timekeeping
Introducing a new architectural concept, the new ITU standard G.8272.2 provides a coherent network reference clock (cnPRTC) that ensures highly accurate, resilient, and robust timekeeping throughout a telecom network.
The cnPRTC architecture involves interconnected clocks cooperating at the highest network level.
This allows stable, network-wide ePRTC time accuracy, even during periods of regional or network-wide GNSS unavailability or other failures and interruptions.
cnPRTC architecture at the core network level:
Comparative measurements between the clocks are another important component of the new architecture. Each clock’s performance is continuously monitored.
The whole group of clocks – connected by fibre or satellite systems such as GNSS common view – are combined under a “timescale algorithm.”
National time labs, GNSS control segments, and the UTC (coordinated universal time) established at the BIPM (international bureau of weights and measures) all rely on such algorithms to generate the time.
The revised G.8272.1 and new G.8272.2 standards are products of the working group on network synchronization and time distribution performance (Q13/15) in the ITU standardization study group for transport, access and home (ITU-T Study Group 15).
The OFC conference in San Diego (US) will feature an ITU booth (#5226), expert talks on “Tight Sync in Precision Time Protocol” on 26 March, and more hot topics at a “Standards Updates” session by the study group on 27 March.
The recent World Radiocommunication Conference (WRC-23), considering relevant ITU studies, endorsed the BIPM decision to adopt continuous UTC as the de facto time standard by 2035, with the possibility to extend the deadline to 2040 in cases where existing equipment cannot be replaced earlier.
Leave a comment

DHS Has Strengthened the Securing the Cities Program, but Actions Are Needed to Address Key Remaining Challenges

Agency News, Industry News, Transport sector
The Department of Homeland Security's Securing the Cities program is trying to reduce the risk of terrorist attacks in high-risk urban areas. This program helps state and local agencies in 13 regions detect radiological and nuclear materials that could be used in such attacks—such as by funding the purchase of wearable radiation detectors for police officers.
The agency regularly meets with the regions to check in and help address specific issues with this program. However, the agency hasn't clearly communicated to the regions how it plans to measure performance and progress.
The Department of Homeland Security's Countering Weapons of Mass Destruction Office (CWMD) has taken multiple steps to strengthen the Securing the Cities (STC) program and is working with regions to address remaining program implementation challenges. CWMD awards funding to support STC regions' program administration. It also funds the procurement and deployment of radiological and nuclear detection equipment and training for the law enforcement officers and other agency partners who use it. To strengthen the program, CWMD has increased outreach and communication activities, developed templates for regional planning and quarterly reporting, and ensured regions' access to long-term federal funding to sustain their STC-related capabilities.
As CWMD continues to improve the program, it is also working with STC regions to address challenges that may affect program implementation. Regions identified several key challenges, including staff attrition and turnover; availability and difficulty of scheduling training courses; and keeping partner agencies engaged with the STC program mission among other competing priorities.
The U.S. faces an enduring threat that terrorists could steal or smuggle nuclear or radiological materials to use in a terrorist attack. The Department of Homeland Security initiated the STC program as a pilot in 2007 to reduce the risk of such attacks by developing and enhancing sustainable radiological and nuclear detection capabilities of state and local agencies in high-risk urban areas. The program includes 13 regions. CWMD awarded about $300 million to these regions through fiscal year 2023.
The CWMD Act of 2018 included a provision for GAO to evaluate the STC program once CWMD completed an assessment of the program, which it did in 2022. This report evaluates (1) CWMD's efforts to strengthen the STC program and address regions' challenges and (2) the extent to which CWMD is measuring and tracking STC regions' performance.
GAO reviewed CWMD and STC regions' documents, interviewed officials from CWMD and from each region, and visited two regions carrying out training exercises. GAO compared CWMD's performance assessment approach with key practices for assessing program effectiveness that GAO identified in prior work.
GAO is making five recommendations, including that CWMD clearly communicate performance expectations to STC regions, collect quality information from the regions, and ensure regions' timely progress through program phases and toward achieving program goals. DHS concurred with the recommendations.
CWMD's approach to measuring and tracking regions' performance—outlined in a 2023 revision to its STC program implementation plan—generally follows the key practices and their supporting actions for assessing program effectiveness. For example, CWMD uses weekly or biweekly meetings with the STC regions to provide tailored information that regions need to address specific issues affecting their program implementation. However, it has not clearly communicated to the regions the performance expectations and planned assessment approach adopted in the revised plan. By doing so, CWMD would increase the transparency and accountability for results being achieved through the program.
CWMD is collecting and reviewing regional performance data to set targets and benchmarks for assessments that it plans to begin in fiscal year 2025. However, it needs to take additional steps to ensure that information collected from the regions is timely, consistent, complete, and accurate. CWMD officials also stated that they need to complete ongoing and planned efforts to better oversee and hold regions accountable for their performance and timely progress through program phases and toward achieving program goals. By taking these steps, CWMD will be in a better position to use evidence to manage the STC program more effectively, demonstrate regions' progress toward meeting the program goals, and communicate these results to stakeholders.
Leave a comment
1 2 3 55