Critical Infrastructure Protection: Additional Actions Are Essential for Assessing Cybersecurity Framework Adoption

GAO-18-211 Published: Feb 15, 2018. Publicly Released: Feb 15, 2018.
Jump To:
Skip to Highlights
Highlights

What GAO Found

Most of the 16 critical infrastructure sectors took action to facilitate adoption of the National Institute of Standards and Technology's (NIST) Framework for Improving Critical Infrastructure Cybersecurity by entities within their sectors. Federal policy directs nine federal lead agencies—referred to as sector-specific agencies (SSA)—in consultation with the Department of Homeland Security and other agencies, to review the cybersecurity framework and, if necessary, develop implementation guidance or supplemental materials to address sector-specific risks and operating environments.

In response, guidance for 12 of the 16 sectors for implementing the cybersecurity framework was developed. In addition, nonfederal led sector coordinating councils took additional steps to facilitate framework adoption. For example, 3 sectors that developed implementation guidance encouraged the alignment of the framework with existing cybersecurity guidelines used within their respective sectors.

Nevertheless, officials from the Department of Homeland Security, NIST, SSAs, and the sector coordinating councils identified four challenges to cybersecurity framework adoption, as reported by entities within their respective sectors. Specifically, some entities

May be limited in their ability to commit necessary resources towards framework adoption.

May not have the necessary knowledge and skills to effectively implement the framework.

May face regulatory, industry, and other requirements that inhibit adopting the framework.

May face other priorities that take precedence over conducting cyber-related risk management or adopting the framework.

Further, the nation's plan for national critical infrastructure protection efforts states that federal and nonfederal sector partners (including SSAs) are to measure the effectiveness of risk management goals by identifying high-level outcomes and progress made toward national goals and priorities, including securing critical infrastructure against cyber threats. However, none of the SSAs had measured the cybersecurity framework's implementation by entities within their respective sectors. None of the 16 coordinating councils reported having qualitative or quantitative measures of framework adoption because they generally do not collect specific information from entities about critical infrastructure protection activities. SSA officials also stated that the voluntary nature and other factors are impediments to collecting such information. While other entities, including a trade association and universities, had attempted to determine the use of the framework within certain sectors; none of those efforts yielded results that would articulate a sector-wide level of framework adoption.

Until SSAs have a more comprehensive understanding of the use of the cybersecurity framework by entities within the critical infrastructure sectors, they will be limited in their ability to understand the success of protection efforts or to determine where to focus limited resources for cyber risk mitigation.

Why GAO Did This Study

Our nation's critical infrastructure includes the public and private systems and assets vital to national security, economic stability, and public health and safety. Federal policy identifies 16 critical infrastructure sectors, including the financial services, energy, transportation, and communications sectors. To better address cyber-related risks to critical infrastructure, in 2014, NIST developed, as called for by federal law and policy, the Framework for Improving Critical Infrastructure Cybersecurity, a voluntary framework of cybersecurity standards and procedures for industry to adopt.

The Cybersecurity Enhancement Act of 2014 included provisions for GAO to review aspects of the cybersecurity standards and procedures in the framework developed by NIST. GAO's objective was to assess what is known about the extent to which critical infrastructure sectors have adopted the framework. To do so, GAO analyzed documentation, such as sector-specific guidance and tools to facilitate implementation, and interviewed relevant federal and nonfederal officials from the 16 critical infrastructure sectors.

Skip to Recommendations

Recommendations

GAO is making nine recommendations that methods be developed for determining framework adoption by the sector-specific agencies across their respective sectors, in consultation with their respective sector partner(s), such as the sector coordinating councils, the Department of Homeland Security, and NIST, as appropriate. Five agencies agreed with the recommendations, while four others neither agreed nor disagreed.

Recommendations for Executive Action

Agency Affected Recommendation Status
Department of Agriculture
Priority Rec.
This is a priority recommendation.
The Secretary of Agriculture, in cooperation with the Secretary of Health and Human Services, should take steps to consult with respective sector partner(s), such as the sector coordinating council (SCC), Department of Homeland Security (DHS) and NIST, as appropriate, to develop methods for determining the level and type of framework adoption by entities across their respective sector. (Recommendation 1)
Open
In written comments, United States Department of Agriculture (USDA) neither agreed nor disagreed with the recommendation in our report. As of January 2022, USDA, in coordination with the Department of Health and Human Services (HHS) as the co-sector risk management agency (SRMA), and its sector partners, took initial steps to determine framework adoption for the food and agriculture sector by distributing a request for information to sector members. The request for information was included in the food and agriculture sector's annual report for fiscal year 2020 to collect information on accomplishments, activities, and programs that show progress towards sector goals. Officials from USDA's Office of Homeland Security stated that the agencies distributed the request for information to approximately 350 representatives of organizations in the food and agriculture sector and government coordinating council. Organizations included federal, state, local, tribal, and territorial governments; academia; and the private sector. While USDA and HHS requested information on agencies' use of the framework, officials from USDA's Office of Homeland Security noted that this effort did not generate enough responses to be useful. As a result, USDA and HHS were not able to determine adoption across the sector. As of October 2021, officials from USDA's Office of Homeland Security did not have additional plans for determining framework adoption among sector entities. However, according to agency officials, the department is in the process of preparing a request for information for the fiscal year 2021 Sector Annual Report and may include a question about framework adoption. Until the SRMAs have a more comprehensive understanding of the use of the cyber framework by the critical infrastructure sectors, they will be limited in their ability to understand the success of protection efforts or to determine where to focus limited resources for cyber risk mitigation. We will continue to monitor the agency's progress in implementing our recommendation.
Department of Defense
Priority Rec.
This is a priority recommendation.
The Secretary of Defense should take steps to consult with respective sector partner(s), such as the SCC, DHS and NIST, as appropriate, to develop methods for determining the level and type of framework adoption by entities across their respective sector. (Recommendation 2)
Closed – Implemented
As of November 2019, the Department of Defense (DOD), in coordination with the Defense Industrial Base sector, had developed a process to monitor the level or extent to which all contracts (not including commercial-off-the-shelf contracts) were or were not adhering to the cybersecurity requirements in DOD acquisition regulations. The regulations call for organizations to implement the security requirements in NIST SP 800-171, which is mapped to the functional areas of the cybersecurity framework. By doing so, DOD is able to determine the level at which the sector organizations are implementing the framework and the type of framework adoption through the mapping to the functional areas.
Department of Energy
Priority Rec.
This is a priority recommendation.
The Secretary of Energy should take steps to consult with respective sector partner(s), such as the SCC, DHS and NIST, as appropriate, to develop methods for determining the level and type of framework adoption by entities across their respective sector. (Recommendation 3)
Open
The Department of Energy (DOE) did not explicitly agree or disagree with our recommendation. As of January 2022, the agency took initial steps to determine framework adoption for the energy sector by tracking requests for a sector-based cybersecurity toolkit, assessing polling data, and obtaining anecdotal reports on framework use from sector entities. For example, as of May 2021, DOE's Office of Cybersecurity, Energy Security, and Emergency Response reported that 1,940 organizations had downloaded 2,253 Cybersecurity Capability Maturity Model (C2M2) toolkits. The toolkit included the C2M2, version 1.1, which is mapped to the framework in the Energy Sector Cybersecurity Framework Implementation Guidance. While DOE had initiated the above efforts to measure adoption, those efforts did not provide sufficient information for the agency to determine the framework adoption throughout the energy sector. For instance, while downloads of toolkits can provide an indicator of potential adoption because the C2M2 model is integrated with controls from the framework, they may not directly result in framework adoption. Thus, the download numbers did not provide sufficient information about adoption. DOE noted that it is exploring additional strategies, such as leveraging data from trade associations and conducting additional feedback sessions with other groups, such as a user community workshop, to obtain broader information across the sector. DOE is also exploring other steps to collect more information such as learning new approaches to measuring adoption and engaging with national laboratories to report on sector usage of the framework, C2M2, and other derivative frameworks aligned with NIST guidance. If the agency implements its planned steps effectively, DOE could be better positioned to determine framework adoption among entities within its sector. Until sector risk management agencies have a more comprehensive understanding of the use of the cyber framework by the critical infrastructure sectors, they will be limited in their ability to understand the success of protection efforts or to determine where to focus limited resources for cyber risk mitigation. We will continue to monitor the agency's progress in implementing our recommendation.
Environmental Protection Agency
Priority Rec.
This is a priority recommendation.
The Administrator of the Environmental Protection Agency should take steps to consult with respective sector partner(s), such as the SCC, DHS and NIST, as appropriate, to develop methods for determining the level and type of framework adoption by entities across their respective sector. (Recommendation 4)
Closed – Implemented
The Environmental Protection Agency (EPA) did not explicitly state whether or not it agreed or disagreed with our recommendation. As of January 2022, the agency had taken steps to determine framework adoption for the water and wastewater systems sector through its Technical Assistance Provider Initiative. Through this initiative, EPA conducted, on a voluntary basis, technical assessments of water and wastewater utilities and determined whether and how these utilities used the framework. As of October 2021, the agency determined that 146 out of 264 water and wastewater utilities that were eligible for the voluntary assessments had adopted the framework and obtained metrics on the utilities' implementation of the framework's security controls. Officials in EPA's Office of Ground Water and Drinking Water stated that they expect the data on framework adoption and usage from this initiative to continue to evolve as EPA assesses more utilities and obtains additional data. By determining whether and how utilities used the framework through its Technical Assistance Provider Initiative, EPA has a more comprehensive grasp of the use of the cyber framework by its critical infrastructure sector including understanding the success of protection efforts and where to focus limited resources for cyber risk mitigation.
General Services Administration
Priority Rec.
This is a priority recommendation.
The Administrator of General Services, in cooperation with the Secretary of Homeland Security, should take steps to consult with respective sector partner(s), such as the Coordinating Council and NIST, as appropriate, to develop methods for determining the level and type of framework adoption by entities across their respective sector. (Recommendation 5)
Closed – Implemented
As of February 2020, the federal departments and agencies that form the government facilities sector had submitted their risk management reports to the Department of Homeland Security and the Office of Management and Budget (OMB) that described agencies' action plans to implement the framework, as required under Executive Order 13800. The risk management assessments are included as part of OMB's Federal Information Security Modernization Act Annual Report to Congress. As a result, the reports could be used as a resource to inform the level and type of framework adoption.
Department of Health and Human Services
Priority Rec.
This is a priority recommendation.
The Secretary of Health and Human Services, in cooperation with the Secretary of Agriculture, should take steps to consult with respective sector partner(s), such as the SCC, DHS and NIST, as appropriate, to develop methods for determining the level and type of framework adoption by entities across their respective sector. (Recommendation 6)
Open
In written comments, the Department of Health and Human Services (HHS) concurred with the recommendation in our report and stated that it would work with appropriate entities to assist in sector adoption. As of February 2022, HHS took steps to encourage use of the framework through the development of health industry resources, updating implementation guidance, mapping tools to the framework, and implementing best practices. For example, HHS officials from the Office of the Assistant Secretary for Preparedness and Response stated that the department organized a joint government and private-sector cybersecurity working group, under which a task group developed the Health Industry Cybersecurity Practices. This publication raised awareness and encouraged use of the framework because it introduced terms and concepts from the framework, and leveraged the framework to establish the recommended health industry practices. Additionally, another example, in November 2021, HHS officials from the Office of the Assistant Secretary for Preparedness and Response stated that the agency plans to form a task group in 2022 to discuss how to obtain an understanding of framework use across the sector, pending resource availability. HHS officials also stated that they will be reviewing actions of other sector risk management agencies (SRMAs) to better assess framework adoption. Until SRMAs have a more comprehensive understanding of the use of the cyber framework by the critical infrastructure sectors, they will be limited in their ability to understand the success of protection efforts or to determine where to focus limited resources for cyber risk mitigation. We will continue to monitor the agency's progress in implementing our recommendation.
Department of Homeland Security
Priority Rec.
This is a priority recommendation.
The Secretary of Homeland Security, in cooperation with the co-SSAs as necessary, should take steps to consult with respective sector partner(s), such as the SCC, and NIST, as appropriate, to develop methods for determining the level and type of framework adoption by entities across their respective sectors. (Recommendation 7)
Open
In written comments, the Department of Homeland Security (DHS) concurred with the recommendation in our report. As of January 2022, DHS's Cybersecurity and Infrastructure Security Agency (CISA), in coordination with its information technology sector coordinating council, took initial steps to determine adoption by administering a survey to the information technology sector's small and medium-sized business community from October through December 2019 to gather information on, among other things, framework use. One hundred businesses responded to the survey. CISA reported that a total of 63 of the 100 businesses used the framework alone or in conjunction with other frameworks, standards, and practices. Additionally, according to CISA officials, the businesses that responded to the survey self-identified that they were part of the information technology sector and one or more of the other seven sectors for which DHS is the sector risk management agency (SRMA). Although the survey gathered information regarding the level and type of adoption from organizations that responded, there was not enough information for CISA to determine framework adoption across all of its sectors. For instance, each of the eight sectors for which DHS is the SRMA include thousands of businesses; yet none of the sectors had more than 40 respondents. As of September 2021, CISA did not have plans for conducting additional surveys to determine framework adoption among its sectors. Until SRMAs have a more comprehensive understanding of the use of the cyber framework by the critical infrastructure sectors, they will be limited in their ability to understand the success of protection efforts or to determine where to focus limited resources for cyber risk mitigation. We will continue to monitor the agency's progress in implementing our recommendation.
Department of Transportation
Priority Rec.
This is a priority recommendation.
The Secretary of Transportation, in cooperation with the Secretary of Homeland Security, should take steps to consult with respective sector partner(s), such as the SCC, DHS and NIST, as appropriate, to develop methods for determining the level and type of framework adoption by entities across their respective sector. (Recommendation 8)
Open
The Department of Transportation concurred with our report's findings and recommendation. As of January 2022, the department, in coordination with its co-SRMA (the Department of Homeland Security's (DHS) Transportation Security Administration), took initial steps to determine framework adoption by developing and distributing a survey to the sector from March to June of 2021. Specifically, according to officials from DOT's Office of Intelligence, Security, and Emergency Response, the survey was distributed to 10 transportation systems sector coordinating council leads, along with dozens of federal sector stakeholders. DOT officials stated that the survey received a total of 857 responses. The survey collected information on awareness and usage of the framework and the subsector of the responding organization. Further, the survey gathered information on the extent to which the organization had implemented the five core functions of the framework. However, as of November 2021, the agencies had not yet determined framework adoption for the sector because they had not completed the analysis of the survey responses. According to officials from DOT's Office of Intelligence, Security, and Emergency Response and DHS's Transportation Security Administration, the co-SRMAs are still analyzing the results of the survey and expect to complete its analysis by March 2022. Once the agencies have completed their analysis of the responses, DOT and DHS may be in a position to determine framework adoption among entities within the sector, as we have recommended. Until sector risk management agencies have a more comprehensive understanding of the use of the cyber framework by the critical infrastructure sectors, they will be limited in their ability to understand the success of protection efforts or to determine where to focus limited resources for cyber risk mitigation. We will continue to monitor the agencies' progress in implementing our recommendation.
Department of the Treasury
Priority Rec.
This is a priority recommendation.
The Secretary of Treasury should take steps to consult with respective sector partner(s), such as the SCC, DHS and NIST, as appropriate, to develop methods for determining the level and type of framework adoption by entities across their respective sector. (Recommendation 9)
Open
Treasury neither agreed nor disagreed with this recommendation, stating that it does not have the authority to compel entities to share cybersecurity framework (framework) adoption data. Treasury identified steps to facilitate and encourage framework use. Officials in Treasury's Office of Cybersecurity and Critical Infrastructure Protection stated that the Financial Services Sector Coordinating Council developed a cybersecurity profile for the sector that is based on the NIST cybersecurity framework. The profile maps the framework's five core functions to existing regulations and guidance for financial services entities. We reported in February 2022 that officials in Treasury's Office of Cybersecurity and Critical Infrastructure Protection believed financial services entities focus on implementing what regulators require, so increasing the regulators' recognition and adoption of the framework could lead to greater use. However, as of February 2022, Treasury had yet to develop methods to determine the level and type of framework adoption. Despite Treasury's actions to promote the use of the framework, officials stated that they do not have the authority to compel members of the financial services sector to respond to inquiries regarding adoption and, therefore, cannot track implementation of the framework. Although the lack of authority is challenging, implementing the recommendation to gain a more comprehensive understanding of the framework's use by the critical infrastructure sector is essential to the success of cybersecurity protection efforts.

Full Report

GAO Contacts