Information security vets have been waiting with bated breath for Barack Obama’s first move regarding cybersecurity. They can exhale at least a little now.

In February, the president named Melissa Hathaway acting senior director for cyberspace of the National Security Council and the Homeland Security Council, with rumors swirling that Obama will tap her for cybersecurity czar after she completes a 60-day stint in her new role reviewing the nation’s cybersecurity strategies.

Hathaway previously served as cybersecurity coordinator executive under Mike McConnell, former President Bush’s director of National Intelligence (DNI). Before that, she was a consultant for Booz Allen Hamilton.

Some may ask, why the wait? The reason Hathaway was chosen in the first place is because of her DNI experience, during which she spent time developing a comprehensive cybersecurity initiative under President Bush. This new post has her reviewing a plan she helped develop—a classic bureaucratic activity.

Obama had promised during the campaign that his cybersecurity adviser would report directly to him. However, it appears that Hathaway, as a senior director at the National Security Council, will not report directly to the president.

In any case, if cybersecurity is indeed one of Obama’s top priorities, why is Hathaway wasting her time reviewing the nation’s plans? As any CIO or CSO will tell you, it’s easy to develop a set of standards or best practices to stand up as a goal post—especially if there’s already a current version. The hard part is rolling up your sleeves and implementing it.