In its annual report, the successor organization to the Cyberspace Solarium Commission applauded the federal government’s efforts to improve the nation’s cybersecurity but warned that criminals and foreign adversaries still are hard at work.

The CSC 2.0 Project was created after the bipartisan, congressionally sponsored commission issued its final report in 2020. Its annual report is intended to evaluate the country’s progress toward implementing the 116 recommendations in the CSC’s final report. (See Solarium Team Urges Long-term Cybersecurity Focus.)

According to the new report, 42 of those recommendations have been fully implemented, meaning legislation has been passed, an executive order issued or some other definitive action has been taken to make them official policy. An additional 36 recommendations are nearing implementation, which means the legislation or executive order containing them “has a clear path to approval” or they have been partly implemented.

Significant measures that have been implemented include an updated national cyber strategy, which the Biden administration issued in March; the 2021 creation of the office of National Cyber Director at the White House; creating a cyber bureau at the State Department; and codifying sector risk management agencies for critical infrastructure sectors to support the cyber defenses of companies in those sectors.

Less progress has been made on the remaining recommendations. Some are categorized as “on track,” meaning the recommendation is being considered for a legislative vehicle or executive order or there are “measurable/reported signs of progress.” Others are listed as “progress limited/delayed,” which means there are no known legislative or policy actions underway or “significant barriers to implementation” for measures that “are not expected to move in the immediate future.”

Only one recommendation remains in the final category: creating House and Senate select committees on cybersecurity. The report cited “significant pushback” to the measure from unidentified sources and suggested “a future emergency [might] create the political impetus” to take action on the recommendation.

The report also noted progress on implementing suggestions from six white papers the commission published. These range from cybersecurity lessons learned during the COVID-19 pandemic to growing the federal cyber workforce, building a trusted supply chain and countering online disinformation.

Despite the successful implementation of some public-private coordination measures, the report warned that many federal agencies “have an uneven record of collaboration with the private sector,” while singling out the Defense and Energy departments for having “made more progress than others.” Even in this regard, the CSC previously suggested the Electricity Information Sharing and Analysis Center’s relationship with electric utilities is not as strong as it should be. (See Solarium Report Warns of E-ISAC Info Sharing Shortfalls.)

“Significant work remains necessary to build an effective cybersecurity partnership between the public and private sectors,” Solarium Commission co-chairs Sen. Angus King (I-Maine) and Rep. Mike Gallagher (R-Wis.) said in the introduction to the report. “This will require a careful balancing of incentivization, collaboration and … regulation across and between each of the country’s critical infrastructure sectors. A similar effort is needed to enhance cooperation with like-minded international allies and partners, ensuring a resilient global economy.”