Critical Infrastructure Protection:

Additional Actions Are Essential for Assessing Cybersecurity Framework Adoption

GAO-18-211: Published: Feb 15, 2018. Publicly Released: Feb 15, 2018.

Multimedia:

  • PODCAST: Protecting the Nation's Infrastructure from Cyber Attacks

    What's being done to help get a grip on the threat hackers pose to the nation's banking institutions, dams, and other critical areas of infrastructure? We explore the issue.

    View the transcript

Additional Materials:

Contact:

Nick Marinos
(202) 512-9342
marinosn@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

What GAO Found

Most of the 16 critical infrastructure sectors took action to facilitate adoption of the National Institute of Standards and Technology's (NIST) Framework for Improving Critical Infrastructure Cybersecurity by entities within their sectors. Federal policy directs nine federal lead agencies—referred to as sector-specific agencies (SSA)—in consultation with the Department of Homeland Security and other agencies, to review the cybersecurity framework and, if necessary, develop implementation guidance or supplemental materials to address sector-specific risks and operating environments.

In response, guidance for 12 of the 16 sectors for implementing the cybersecurity framework was developed. In addition, nonfederal led sector coordinating councils took additional steps to facilitate framework adoption. For example, 3 sectors that developed implementation guidance encouraged the alignment of the framework with existing cybersecurity guidelines used within their respective sectors.

Nevertheless, officials from the Department of Homeland Security, NIST, SSAs, and the sector coordinating councils identified four challenges to cybersecurity framework adoption, as reported by entities within their respective sectors. Specifically, some entities

May be limited in their ability to commit necessary resources towards framework adoption.

May not have the necessary knowledge and skills to effectively implement the framework.

May face regulatory, industry, and other requirements that inhibit adopting the framework.

May face other priorities that take precedence over conducting cyber-related risk management or adopting the framework.

Further, the nation's plan for national critical infrastructure protection efforts states that federal and nonfederal sector partners (including SSAs) are to measure the effectiveness of risk management goals by identifying high-level outcomes and progress made toward national goals and priorities, including securing critical infrastructure against cyber threats. However, none of the SSAs had measured the cybersecurity framework's implementation by entities within their respective sectors. None of the 16 coordinating councils reported having qualitative or quantitative measures of framework adoption because they generally do not collect specific information from entities about critical infrastructure protection activities. SSA officials also stated that the voluntary nature and other factors are impediments to collecting such information. While other entities, including a trade association and universities, had attempted to determine the use of the framework within certain sectors; none of those efforts yielded results that would articulate a sector-wide level of framework adoption.

Until SSAs have a more comprehensive understanding of the use of the cybersecurity framework by entities within the critical infrastructure sectors, they will be limited in their ability to understand the success of protection efforts or to determine where to focus limited resources for cyber risk mitigation.

Why GAO Did This Study

Our nation's critical infrastructure includes the public and private systems and assets vital to national security, economic stability, and public health and safety. Federal policy identifies 16 critical infrastructure sectors, including the financial services, energy, transportation, and communications sectors. To better address cyber-related risks to critical infrastructure, in 2014, NIST developed, as called for by federal law and policy, the Framework for Improving Critical Infrastructure Cybersecurity, a voluntary framework of cybersecurity standards and procedures for industry to adopt.

The Cybersecurity Enhancement Act of 2014 included provisions for GAO to review aspects of the cybersecurity standards and procedures in the framework developed by NIST. GAO's objective was to assess what is known about the extent to which critical infrastructure sectors have adopted the framework. To do so, GAO analyzed documentation, such as sector-specific guidance and tools to facilitate implementation, and interviewed relevant federal and nonfederal officials from the 16 critical infrastructure sectors.

What GAO Recommends

GAO is making nine recommendations that methods be developed for determining framework adoption by the sector-specific agencies across their respective sectors, in consultation with their respective sector partner(s), such as the sector coordinating councils, the Department of Homeland Security, and NIST, as appropriate. Five agencies agreed with the recommendations, while four others neither agreed nor disagreed.

For more information, contact Nick Marinos at (202) 512-9342 or marinosn@gao.gov.

Recommendations for Executive Action

  1. Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: The Secretary of Agriculture, in cooperation with the Secretary of Health and Human Services, should take steps to consult with respective sector partner(s), such as the sector coordinating council (SCC), Department of Homeland Security (DHS) and NIST, as appropriate, to develop methods for determining the level and type of framework adoption by entities across their respective sector. (Recommendation 1)

    Agency Affected: Department of Agriculture

  2. Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: The Secretary of Defense should take steps to consult with respective sector partner(s), such as the SCC, DHS and NIST, as appropriate, to develop methods for determining the level and type of framework adoption by entities across their respective sector. (Recommendation 2)

    Agency Affected: Department of Defense

  3. Status: Open

    Comments: In its April 2018 letter, the Department of Energy (DOE) stated it planned to consult with sector partners on the development of methods for determining the level and type of NIST Framework adoption as part of updating its Cybersecurity Capability Maturity Model (C2M2) tool in 2018. DOE stated it strives to ensure that C2M2 aligns with the NIST Framework. As such, DOE stated it plans to hold a stakeholder workshop (spring/summer of 2018), which may include partners from the SCCs, DHS, and NIST, will include an examination and discussion of the adoption of the NIST Framework. We will continue to monitor DOE actions in response to this recommendation.

    Recommendation: The Secretary of Energy should take steps to consult with respective sector partner(s), such as the SCC, DHS and NIST, as appropriate, to develop methods for determining the level and type of framework adoption by entities across their respective sector. (Recommendation 3)

    Agency Affected: Department of Energy

  4. Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: The Administrator of the Environmental Protection Agency should take steps to consult with respective sector partner(s), such as the SCC, DHS and NIST, as appropriate, to develop methods for determining the level and type of framework adoption by entities across their respective sector. (Recommendation 4)

    Agency Affected: Environmental Protection Agency

  5. Status: Open

    Comments: In its April 2018 letter, GSA stated that it planned to recommend that the Government Coordinating Council add language to the sector-specific plan survey for the Fiscal Year 2018 National Annual Report to Congress to assess the adoption of the NIST cybersecurity framework. We will continue to observe actions taken in response to this recommendation.

    Recommendation: The Administrator of General Services, in cooperation with the Secretary of Homeland Security, should take steps to consult with respective sector partner(s), such as the Coordinating Council and NIST, as appropriate, to develop methods for determining the level and type of framework adoption by entities across their respective sector. (Recommendation 5)

    Agency Affected: General Services Administration

  6. Status: Open

    Comments: In its April 2018 letter, HHS is conferring with appropriate operating divisions and agencies to identify applicable methodologies for determining the level and type of framework adoption across the HPH sector. We will continue to monitor HHS actions in response to this recommendation.

    Recommendation: The Secretary of Health and Human Services, in cooperation with the Secretary of Agriculture, should take steps to consult with respective sector partner(s), such as the SCC, DHS and NIST, as appropriate, to develop methods for determining the level and type of framework adoption by entities across their respective sector. (Recommendation 6)

    Agency Affected: Department of Health and Human Services

  7. Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: The Secretary of Homeland Security, in cooperation with the co-SSAs as necessary, should take steps to consult with respective sector partner(s), such as the SCC, and NIST, as appropriate, to develop methods for determining the level and type of framework adoption by entities across their respective sectors. (Recommendation 7)

    Agency Affected: Department of Homeland Security

  8. Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: The Secretary of Transportation, in cooperation with the Secretary of Homeland Security, should take steps to consult with respective sector partner(s), such as the SCC, DHS and NIST, as appropriate, to develop methods for determining the level and type of framework adoption by entities across their respective sector. (Recommendation 8)

    Agency Affected: Department of Transportation

  9. Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: The Secretary of Treasury should take steps to consult with respective sector partner(s), such as the SCC, DHS and NIST, as appropriate, to develop methods for determining the level and type of framework adoption by entities across their respective sector. (Recommendation 9)

    Agency Affected: Department of the Treasury

 

Explore the full database of GAO's Open Recommendations »

Aug 16, 2018

Aug 14, 2018

Aug 8, 2018

Aug 6, 2018

Jul 24, 2018

Jul 12, 2018

Jun 14, 2018

May 31, 2018

Looking for more? Browse all our products here