Critical Infrastructure Protection:

Additional Actions Are Essential for Assessing Cybersecurity Framework Adoption

GAO-18-211: Published: Feb 15, 2018. Publicly Released: Feb 15, 2018.

Multimedia:

  • PODCAST: Protecting the Nation's Infrastructure from Cyber Attacks

    What's being done to help get a grip on the threat hackers pose to the nation's banking institutions, dams, and other critical areas of infrastructure? We explore the issue.

    View the transcript

Additional Materials:

Contact:

Nick Marinos
(202) 512-9342
marinosn@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

What GAO Found

Most of the 16 critical infrastructure sectors took action to facilitate adoption of the National Institute of Standards and Technology's (NIST) Framework for Improving Critical Infrastructure Cybersecurity by entities within their sectors. Federal policy directs nine federal lead agencies—referred to as sector-specific agencies (SSA)—in consultation with the Department of Homeland Security and other agencies, to review the cybersecurity framework and, if necessary, develop implementation guidance or supplemental materials to address sector-specific risks and operating environments.

In response, guidance for 12 of the 16 sectors for implementing the cybersecurity framework was developed. In addition, nonfederal led sector coordinating councils took additional steps to facilitate framework adoption. For example, 3 sectors that developed implementation guidance encouraged the alignment of the framework with existing cybersecurity guidelines used within their respective sectors.

Nevertheless, officials from the Department of Homeland Security, NIST, SSAs, and the sector coordinating councils identified four challenges to cybersecurity framework adoption, as reported by entities within their respective sectors. Specifically, some entities

May be limited in their ability to commit necessary resources towards framework adoption.

May not have the necessary knowledge and skills to effectively implement the framework.

May face regulatory, industry, and other requirements that inhibit adopting the framework.

May face other priorities that take precedence over conducting cyber-related risk management or adopting the framework.

Further, the nation's plan for national critical infrastructure protection efforts states that federal and nonfederal sector partners (including SSAs) are to measure the effectiveness of risk management goals by identifying high-level outcomes and progress made toward national goals and priorities, including securing critical infrastructure against cyber threats. However, none of the SSAs had measured the cybersecurity framework's implementation by entities within their respective sectors. None of the 16 coordinating councils reported having qualitative or quantitative measures of framework adoption because they generally do not collect specific information from entities about critical infrastructure protection activities. SSA officials also stated that the voluntary nature and other factors are impediments to collecting such information. While other entities, including a trade association and universities, had attempted to determine the use of the framework within certain sectors; none of those efforts yielded results that would articulate a sector-wide level of framework adoption.

Until SSAs have a more comprehensive understanding of the use of the cybersecurity framework by entities within the critical infrastructure sectors, they will be limited in their ability to understand the success of protection efforts or to determine where to focus limited resources for cyber risk mitigation.

Why GAO Did This Study

Our nation's critical infrastructure includes the public and private systems and assets vital to national security, economic stability, and public health and safety. Federal policy identifies 16 critical infrastructure sectors, including the financial services, energy, transportation, and communications sectors. To better address cyber-related risks to critical infrastructure, in 2014, NIST developed, as called for by federal law and policy, the Framework for Improving Critical Infrastructure Cybersecurity, a voluntary framework of cybersecurity standards and procedures for industry to adopt.

The Cybersecurity Enhancement Act of 2014 included provisions for GAO to review aspects of the cybersecurity standards and procedures in the framework developed by NIST. GAO's objective was to assess what is known about the extent to which critical infrastructure sectors have adopted the framework. To do so, GAO analyzed documentation, such as sector-specific guidance and tools to facilitate implementation, and interviewed relevant federal and nonfederal officials from the 16 critical infrastructure sectors.

What GAO Recommends

GAO is making nine recommendations that methods be developed for determining framework adoption by the sector-specific agencies across their respective sectors, in consultation with their respective sector partner(s), such as the sector coordinating councils, the Department of Homeland Security, and NIST, as appropriate. Five agencies agreed with the recommendations, while four others neither agreed nor disagreed.

For more information, contact Nick Marinos at (202) 512-9342 or marinosn@gao.gov.

Recommendations for Executive Action

  1. Status: Open

    Priority recommendation

    Comments: USDA stated that it would attempt to develop a measurement mechanism as part of its annual data calls to the Food and Agriculture Sector. Additionally, the department stated that it was committed to providing its sector members with guidance on framework adoption in 2018. A more comprehensive understanding of the framework's use is necessary if USDA, along with other entities, wants to ensure that its facilitation efforts are successful and determine whether organizations are realizing positive results by adopting the framework.

    Recommendation: The Secretary of Agriculture, in cooperation with the Secretary of Health and Human Services, should take steps to consult with respective sector partner(s), such as the sector coordinating council (SCC), Department of Homeland Security (DHS) and NIST, as appropriate, to develop methods for determining the level and type of framework adoption by entities across their respective sector. (Recommendation 1)

    Agency Affected: Department of Agriculture

  2. Status: Open

    Priority recommendation

    Comments: DOD officials stated that, due to the voluntary nature of the framework, they did not have a mechanism to assess overall use. A more comprehensive understanding of the framework's use by sector entities is necessary if DOD, along with other entities, wants to ensure that its facilitation efforts are successful and determine whether organizations are realizing positive results by adopting the framework.

    Recommendation: The Secretary of Defense should take steps to consult with respective sector partner(s), such as the SCC, DHS and NIST, as appropriate, to develop methods for determining the level and type of framework adoption by entities across their respective sector. (Recommendation 2)

    Agency Affected: Department of Defense

  3. Status: Open

    Priority recommendation

    Comments: DOE stated that it worked with stakeholders to better align the Cybersecurity Capability Maturity Model (C2M2) with the updated NIST Cybersecurity Framework but did not provide specific information regarding the adoption or use of the framework. To fully address the recommendation, DOE should have a more comprehensive understanding of the framework's use by sector entities if DOE, along with other entities, want to ensure that its facilitation efforts are successful and determine whether organizations are realizing positive results by adopting the framework. We will continue to monitor DOE actions in response to this recommendation.

    Recommendation: The Secretary of Energy should take steps to consult with respective sector partner(s), such as the SCC, DHS and NIST, as appropriate, to develop methods for determining the level and type of framework adoption by entities across their respective sector. (Recommendation 3)

    Agency Affected: Department of Energy

  4. Status: Open

    Priority recommendation

    Comments: EPA has stated that it will continue to work with the Water Sector Coordinating Council (SCC) and other sector partners to promote and facilitate adoption of the cybersecurity framework. In May 2018, EPA stated that it will work with the Water SCC, the Department of Homeland Security, the National Institute of Standards and Technology, and the other sector-specific agencies to develop a methodology that all critical infrastructure sectors can apply to assess framework adoption. Once a cross-sector assessment methodology for framework usage is developed and adopted by the Department of Homeland Security and the other sector-specific agencies, EPA will work with the Water SCC to carry out the assessment for the water sector. EPA needs to provide evidence of actions taken to implement this recommendation.

    Recommendation: The Administrator of the Environmental Protection Agency should take steps to consult with respective sector partner(s), such as the SCC, DHS and NIST, as appropriate, to develop methods for determining the level and type of framework adoption by entities across their respective sector. (Recommendation 4)

    Agency Affected: Environmental Protection Agency

  5. Status: Open

    Priority recommendation

    Comments: In April 2018, GSA stated that it planned to recommend to the Government Coordinating Council the addition of language to the sector-specific survey for the fiscal year 2018 National Annual Report to Congress to determine the level and type of framework adoption. To fully implement this recommendation, GSA, in cooperation with the Department of Homeland Security, should continue to work with respective partners, including the Government Coordinating Council, as appropriate, to develop methods for determining the level and type of adoption by entities across the government facilities sector of the National Institute of Standards and Technology's Framework for Improving Critical Infrastructure Cybersecurity.

    Recommendation: The Administrator of General Services, in cooperation with the Secretary of Homeland Security, should take steps to consult with respective sector partner(s), such as the Coordinating Council and NIST, as appropriate, to develop methods for determining the level and type of framework adoption by entities across their respective sector. (Recommendation 5)

    Agency Affected: General Services Administration

  6. Status: Open

    Priority recommendation

    Comments: In its April 2018 letter, HHS is conferring with appropriate operating divisions and agencies to identify applicable methodologies for determining the level and type of framework adoption across the HPH sector. To fully Implement this recommendation, HHS should develop methods for determining the level and type of framework adoption by entities across their respective sector. We will continue to monitor HHS actions in response to this recommendation.

    Recommendation: The Secretary of Health and Human Services, in cooperation with the Secretary of Agriculture, should take steps to consult with respective sector partner(s), such as the SCC, DHS and NIST, as appropriate, to develop methods for determining the level and type of framework adoption by entities across their respective sector. (Recommendation 6)

    Agency Affected: Department of Health and Human Services

  7. Status: Open

    Priority recommendation

    Comments: DHS has hosted outreach and awareness engagements, including webinars, road shows, conferences, briefings, and regular working group meetings, to help organizations understand and use the Framework. Further, DHS has taken steps to determine usage amongst members of the Information Technology Sector. For example, DHS is collaborating with the Information Technology Sector Coordinating Council Small and Midsize Business (SMB) Working Group in a coordinated effort to evaluate Framework use and promote continued adoption within the broader Information Technology SMB community. However, DHS has yet to provide evidence regarding efforts to coordinate with the nine other sectors, such as the Communications and Transportation Systems sectors, for which it serves as the sector lead. DHS needs to address Framework adoption in these other sectors.

    Recommendation: The Secretary of Homeland Security, in cooperation with the co-SSAs as necessary, should take steps to consult with respective sector partner(s), such as the SCC, and NIST, as appropriate, to develop methods for determining the level and type of framework adoption by entities across their respective sectors. (Recommendation 7)

    Agency Affected: Department of Homeland Security

  8. Status: Open

    Priority recommendation

    Comments: DOT concurred with this recommendation. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: The Secretary of Transportation, in cooperation with the Secretary of Homeland Security, should take steps to consult with respective sector partner(s), such as the SCC, DHS and NIST, as appropriate, to develop methods for determining the level and type of framework adoption by entities across their respective sector. (Recommendation 8)

    Agency Affected: Department of Transportation

  9. Status: Open

    Priority recommendation

    Comments: Treasury said it does not have the authority to compel entities to share cybersecurity framework adoption data but would continue engaging with NIST and its other public and private sector partners to help ensure the adoption of this framework. More recently, Treasury began discussions with NIST to identify or develop methods for determining the level and type of framework adoption by the financial sector. A more comprehensive understanding of the framework's use by financial services entities is necessary to ensure that its facilitation efforts are successful and to determine whether organizations are realizing positive results by adopting the framework.

    Recommendation: The Secretary of Treasury should take steps to consult with respective sector partner(s), such as the SCC, DHS and NIST, as appropriate, to develop methods for determining the level and type of framework adoption by entities across their respective sector. (Recommendation 9)

    Agency Affected: Department of the Treasury

 

Explore the full database of GAO's Open Recommendations »

May 22, 2019

May 13, 2019

May 9, 2019

May 1, 2019

Apr 26, 2019

Apr 24, 2019

Apr 18, 2019

Apr 4, 2019

Looking for more? Browse all our products here