Skip to main content

Critical Infrastructure Protection: Additional Actions Are Essential for Assessing Cybersecurity Framework Adoption

GAO-18-211 Published: Feb 15, 2018. Publicly Released: Feb 15, 2018.
Jump To:
Skip to Highlights

Highlights

What GAO Found

Most of the 16 critical infrastructure sectors took action to facilitate adoption of the National Institute of Standards and Technology's (NIST) Framework for Improving Critical Infrastructure Cybersecurity by entities within their sectors. Federal policy directs nine federal lead agencies—referred to as sector-specific agencies (SSA)—in consultation with the Department of Homeland Security and other agencies, to review the cybersecurity framework and, if necessary, develop implementation guidance or supplemental materials to address sector-specific risks and operating environments.

In response, guidance for 12 of the 16 sectors for implementing the cybersecurity framework was developed. In addition, nonfederal led sector coordinating councils took additional steps to facilitate framework adoption. For example, 3 sectors that developed implementation guidance encouraged the alignment of the framework with existing cybersecurity guidelines used within their respective sectors.

Nevertheless, officials from the Department of Homeland Security, NIST, SSAs, and the sector coordinating councils identified four challenges to cybersecurity framework adoption, as reported by entities within their respective sectors. Specifically, some entities

May be limited in their ability to commit necessary resources towards framework adoption.

May not have the necessary knowledge and skills to effectively implement the framework.

May face regulatory, industry, and other requirements that inhibit adopting the framework.

May face other priorities that take precedence over conducting cyber-related risk management or adopting the framework.

Further, the nation's plan for national critical infrastructure protection efforts states that federal and nonfederal sector partners (including SSAs) are to measure the effectiveness of risk management goals by identifying high-level outcomes and progress made toward national goals and priorities, including securing critical infrastructure against cyber threats. However, none of the SSAs had measured the cybersecurity framework's implementation by entities within their respective sectors. None of the 16 coordinating councils reported having qualitative or quantitative measures of framework adoption because they generally do not collect specific information from entities about critical infrastructure protection activities. SSA officials also stated that the voluntary nature and other factors are impediments to collecting such information. While other entities, including a trade association and universities, had attempted to determine the use of the framework within certain sectors; none of those efforts yielded results that would articulate a sector-wide level of framework adoption.

Until SSAs have a more comprehensive understanding of the use of the cybersecurity framework by entities within the critical infrastructure sectors, they will be limited in their ability to understand the success of protection efforts or to determine where to focus limited resources for cyber risk mitigation.

Why GAO Did This Study

Our nation's critical infrastructure includes the public and private systems and assets vital to national security, economic stability, and public health and safety. Federal policy identifies 16 critical infrastructure sectors, including the financial services, energy, transportation, and communications sectors. To better address cyber-related risks to critical infrastructure, in 2014, NIST developed, as called for by federal law and policy, the Framework for Improving Critical Infrastructure Cybersecurity, a voluntary framework of cybersecurity standards and procedures for industry to adopt.

The Cybersecurity Enhancement Act of 2014 included provisions for GAO to review aspects of the cybersecurity standards and procedures in the framework developed by NIST. GAO's objective was to assess what is known about the extent to which critical infrastructure sectors have adopted the framework. To do so, GAO analyzed documentation, such as sector-specific guidance and tools to facilitate implementation, and interviewed relevant federal and nonfederal officials from the 16 critical infrastructure sectors.

Recommendations

GAO is making nine recommendations that methods be developed for determining framework adoption by the sector-specific agencies across their respective sectors, in consultation with their respective sector partner(s), such as the sector coordinating councils, the Department of Homeland Security, and NIST, as appropriate. Five agencies agreed with the recommendations, while four others neither agreed nor disagreed.

Recommendations for Executive Action

Agency Affected Recommendation Status
Department of Agriculture
Priority Rec.
The Secretary of Agriculture, in cooperation with the Secretary of Health and Human Services, should take steps to consult with respective sector partner(s), such as the sector coordinating council (SCC), Department of Homeland Security (DHS) and NIST, as appropriate, to develop methods for determining the level and type of framework adoption by entities across their respective sector. (Recommendation 1)
Open – Partially Addressed
USDA neither agreed nor disagreed with the recommendation, but stated that it would attempt to develop a measurement mechanism as part of its annual data calls to the Food and Agriculture Sector. USDA has taken steps towards determining framework adoption across the sector. For example, USDA has distributed several requests for information to sector members that include questions regarding framework adoption and resulting improvements. In addition, USDA requested feedback from sector partners and made subsequent changes to its data calls responses. Despite these efforts, as of February 2024, USDA has not yet received information from sector entities regarding their adoption of the NIST cybersecurity framework. To fully implement this recommendation, USDA needs to implement actions that will allow the agency to better assess framework adoption among entities within its sector. USDA has been encouraging and supporting the use of the framework. However, in order to assist in protecting critical infrastructure the agency needs to implement our recommendation so it can gain a more comprehensive understanding of the framework's use.
Department of Defense
Priority Rec.
The Secretary of Defense should take steps to consult with respective sector partner(s), such as the SCC, DHS and NIST, as appropriate, to develop methods for determining the level and type of framework adoption by entities across their respective sector. (Recommendation 2)
Closed – Implemented
As of November 2019, the Department of Defense (DOD), in coordination with the Defense Industrial Base sector, had developed a process to monitor the level or extent to which all contracts (not including commercial-off-the-shelf contracts) were or were not adhering to the cybersecurity requirements in DOD acquisition regulations. The regulations call for organizations to implement the security requirements in NIST SP 800-171, which is mapped to the functional areas of the cybersecurity framework. By doing so, DOD is able to determine the level at which the sector organizations are implementing the framework and the type of framework adoption through the mapping to the functional areas.
Department of Energy
Priority Rec.
The Secretary of Energy should take steps to consult with respective sector partner(s), such as the SCC, DHS and NIST, as appropriate, to develop methods for determining the level and type of framework adoption by entities across their respective sector. (Recommendation 3)
Closed – Implemented
DOE did not explicitly agree or disagree with our recommendation. As of August 2023, DOE demonstrated that, in coordination with a third-party contractor, it had identified strengths and weaknesses in the energy sector's implementation of the NIST cybersecurity framework and DOE's Cybersecurity Capability Maturity Model (C2M2) practices. While DOE found that there was strong performance in the implementation of some fundamental practices, the agency identified areas of opportunity in other cybersecurity domains. By taking these steps, DOE will have a more comprehensive understanding of the framework's use by energy sector entities and where to focus limited resources for cyber risk mitigation efforts.
Environmental Protection Agency
Priority Rec.
The Administrator of the Environmental Protection Agency should take steps to consult with respective sector partner(s), such as the SCC, DHS and NIST, as appropriate, to develop methods for determining the level and type of framework adoption by entities across their respective sector. (Recommendation 4)
Closed – Implemented
The Environmental Protection Agency (EPA) did not explicitly state whether or not it agreed or disagreed with our recommendation. As of January 2022, the agency had taken steps to determine framework adoption for the water and wastewater systems sector through its Technical Assistance Provider Initiative. Through this initiative, EPA conducted, on a voluntary basis, technical assessments of water and wastewater utilities and determined whether and how these utilities used the framework. As of October 2021, the agency determined that 146 out of 264 water and wastewater utilities that were eligible for the voluntary assessments had adopted the framework and obtained metrics on the utilities' implementation of the framework's security controls. Officials in EPA's Office of Ground Water and Drinking Water stated that they expect the data on framework adoption and usage from this initiative to continue to evolve as EPA assesses more utilities and obtains additional data. By determining whether and how utilities used the framework through its Technical Assistance Provider Initiative, EPA has a more comprehensive grasp of the use of the cyber framework by its critical infrastructure sector including understanding the success of protection efforts and where to focus limited resources for cyber risk mitigation.
General Services Administration
Priority Rec.
The Administrator of General Services, in cooperation with the Secretary of Homeland Security, should take steps to consult with respective sector partner(s), such as the Coordinating Council and NIST, as appropriate, to develop methods for determining the level and type of framework adoption by entities across their respective sector. (Recommendation 5)
Closed – Implemented
As of February 2020, the federal departments and agencies that form the government facilities sector had submitted their risk management reports to the Department of Homeland Security and the Office of Management and Budget (OMB) that described agencies' action plans to implement the framework, as required under Executive Order 13800. The risk management assessments are included as part of OMB's Federal Information Security Modernization Act Annual Report to Congress. As a result, the reports could be used as a resource to inform the level and type of framework adoption.
Department of Health and Human Services
Priority Rec.
The Secretary of Health and Human Services, in cooperation with the Secretary of Agriculture, should take steps to consult with respective sector partner(s), such as the SCC, DHS and NIST, as appropriate, to develop methods for determining the level and type of framework adoption by entities across their respective sector. (Recommendation 6)
Open – Partially Addressed
The Department of Health and Human Services (HHS) agreed with this recommendation. In April 2023, HHS, in collaboration with the Healthcare and Public Health Sector Coordinating Council, published the Hospital Cyber Resiliency Initiative: Landscape Analysis. HHS's analysis describes industry adoption of the NIST cybersecurity framework based on the results from a third-party survey sent to hospitals. HHS found that hospitals responding to the survey adopted 70.7% of the NIST cybersecurity framework. HHS also evaluated the extent to which the responding hospitals adopted the five core functions of the cybersecurity framework and associated sub-categories. By taking these steps, HHS will have a more comprehensive understanding of the framework's use by healthcare and public health sector entities and where to focus limited resources for cyber risk mitigation efforts. In addition, HHS coordinated with the Department of Agriculture in taking initial steps to determine framework adoption across the food and agricultural sector by distributing two requests for information to food and agriculture sector members. However, those efforts did not generate enough responses to be useful. For instance, the Department of Agriculture did not receive any responses from private sector members regarding plans to implement, adopt, and measure improvements resulting from use of the framework. The Department of Agriculture stated that it has collaborated with HHS and the DHS to determine if there are alternative methods for collecting and assessing more substantive information. As of February 2024, HHS and the other agencies have not yet identified alternative approaches or completed or other actions for determining framework adoption in the food and agriculture sector.
Department of Homeland Security
Priority Rec.
The Secretary of Homeland Security, in cooperation with the co-SSAs as necessary, should take steps to consult with respective sector partner(s), such as the SCC, and NIST, as appropriate, to develop methods for determining the level and type of framework adoption by entities across their respective sectors. (Recommendation 7)
Open – Partially Addressed
DHS concurred with the recommendation in our report and stated that the department will continue to work closely with its private sector partners to ensure framework adoption is a priority. Additionally, the agency stated that it would try to better understand the extent of, and barriers to, framework adoption by entities across their respective sectors. In October 2022, the department took initial steps to develop methods to determine the level and type of framework adoption in its respective sectors. Specifically, the department developed cross-sector cybersecurity performance goals that outline high-priority, baseline measures that businesses and critical infrastructure owners of all sizes can take to protect themselves from cyber threats. Each goal aligns with a corresponding practice in the NIST cybersecurity framework. Thus, the cross-sector performance goals can provide a basis for DHS and other sector risk management agencies to better understand and evaluate the extent to which individual sectors have adopted and implemented the framework. As of February 2024, DHS measured the adoption of two cross-sector performance goals across organizations enrolled in its vulnerability scanning service. However, DHS has not been yet demonstrated the adoption across critical sectors for which it is designated as the lead for risk management. To fully implement our recommendation, DHS needs to demonstrate the adoption of the NIST framework via cross-sector performance goals or other measures for its respective sectors. While DHS has taken important steps towards measuring framework adoption, implementing our recommendations to gain a more comprehensive understanding of the framework's use by all the sectors DHS is responsible for is essential to the success of critical infrastructure protection efforts.
Department of Transportation
Priority Rec.
The Secretary of Transportation, in cooperation with the Secretary of Homeland Security, should take steps to consult with respective sector partner(s), such as the SCC, DHS and NIST, as appropriate, to develop methods for determining the level and type of framework adoption by entities across their respective sector. (Recommendation 8)
Closed – Implemented
The Department of Transportation (DOT) agreed with this recommendation. In January 2023, DOT, in coordination with DHS, analyzed the results of a sector-wide survey examining the transportation systems sector's use of the NIST cybersecurity framework. The analysis identified the usage, awareness, and implementation of the framework's five core functions by entities across the transportation systems sector. The analysis also identified four findings and related corrective actions for the co-sector risk management agencies. By taking these steps, DOT will have a more comprehensive understanding of the framework's use by transportation systems sector entities and where to focus limited resources for cyber risk mitigation efforts.
Department of the Treasury
Priority Rec.
The Secretary of Treasury should take steps to consult with respective sector partner(s), such as the SCC, DHS and NIST, as appropriate, to develop methods for determining the level and type of framework adoption by entities across their respective sector. (Recommendation 9)
Open
Treasury neither agreed nor disagreed with this recommendation, stating that it does not have the authority to compel entities to share cybersecurity framework (framework) adoption data. Treasury identified steps to facilitate and encourage framework use. Officials in Treasury's Office of Cybersecurity and Critical Infrastructure Protection stated that the Financial Services Sector Coordinating Council developed a cybersecurity profile for the sector that is based on the NIST cybersecurity framework. The profile maps the framework's five core functions to existing regulations and guidance for financial services entities. We reported in February 2022 that officials in Treasury's Office of Cybersecurity and Critical Infrastructure Protection believed financial services entities focus on implementing what regulators require, so increasing the regulators' recognition and adoption of the framework could lead to greater use. As of February 2024, Treasury had yet to develop methods to determine the level and type of framework adoption. Treasury stated that the voluntary nature of private sector participation in sector risk management agency activities affects the agency's ability to implement certain recommendations related to critical infrastructure protection. Notwithstanding these limitations, Treasury stated that it plans to collaborate with the financial services sector to develop metrics on sector risk mitigation efforts and for determining the level and type of framework adoption regarding use of the framework. Treasury did not identify a planned time frame for completing those efforts. Although the lack of authority is challenging, implementing the recommendation to gain a more comprehensive understanding of the framework's use by the sector is essential to the success of critical infrastructure protection efforts.

Full Report

GAO Contacts

Office of Public Affairs

Topics

Compliance oversightCritical infrastructureCritical infrastructure protectionCybersecurityEnergy sectorsFinancial services sectorPublic and private partnershipsPublic healthRisk managementSecurity assessments