Skip to Highlights
Highlights

What GAO Found

Most of the 16 critical infrastructure sectors took action to facilitate adoption of the National Institute of Standards and Technology's (NIST) Framework for Improving Critical Infrastructure Cybersecurity by entities within their sectors. Federal policy directs nine federal lead agencies—referred to as sector-specific agencies (SSA)—in consultation with the Department of Homeland Security and other agencies, to review the cybersecurity framework and, if necessary, develop implementation guidance or supplemental materials to address sector-specific risks and operating environments.

In response, guidance for 12 of the 16 sectors for implementing the cybersecurity framework was developed. In addition, nonfederal led sector coordinating councils took additional steps to facilitate framework adoption. For example, 3 sectors that developed implementation guidance encouraged the alignment of the framework with existing cybersecurity guidelines used within their respective sectors.

Nevertheless, officials from the Department of Homeland Security, NIST, SSAs, and the sector coordinating councils identified four challenges to cybersecurity framework adoption, as reported by entities within their respective sectors. Specifically, some entities

May be limited in their ability to commit necessary resources towards framework adoption.

May not have the necessary knowledge and skills to effectively implement the framework.

May face regulatory, industry, and other requirements that inhibit adopting the framework.

May face other priorities that take precedence over conducting cyber-related risk management or adopting the framework.

Further, the nation's plan for national critical infrastructure protection efforts states that federal and nonfederal sector partners (including SSAs) are to measure the effectiveness of risk management goals by identifying high-level outcomes and progress made toward national goals and priorities, including securing critical infrastructure against cyber threats. However, none of the SSAs had measured the cybersecurity framework's implementation by entities within their respective sectors. None of the 16 coordinating councils reported having qualitative or quantitative measures of framework adoption because they generally do not collect specific information from entities about critical infrastructure protection activities. SSA officials also stated that the voluntary nature and other factors are impediments to collecting such information. While other entities, including a trade association and universities, had attempted to determine the use of the framework within certain sectors; none of those efforts yielded results that would articulate a sector-wide level of framework adoption.

Until SSAs have a more comprehensive understanding of the use of the cybersecurity framework by entities within the critical infrastructure sectors, they will be limited in their ability to understand the success of protection efforts or to determine where to focus limited resources for cyber risk mitigation.

Why GAO Did This Study

Our nation's critical infrastructure includes the public and private systems and assets vital to national security, economic stability, and public health and safety. Federal policy identifies 16 critical infrastructure sectors, including the financial services, energy, transportation, and communications sectors. To better address cyber-related risks to critical infrastructure, in 2014, NIST developed, as called for by federal law and policy, the Framework for Improving Critical Infrastructure Cybersecurity, a voluntary framework of cybersecurity standards and procedures for industry to adopt.

The Cybersecurity Enhancement Act of 2014 included provisions for GAO to review aspects of the cybersecurity standards and procedures in the framework developed by NIST. GAO's objective was to assess what is known about the extent to which critical infrastructure sectors have adopted the framework. To do so, GAO analyzed documentation, such as sector-specific guidance and tools to facilitate implementation, and interviewed relevant federal and nonfederal officials from the 16 critical infrastructure sectors.

Skip to Recommendations

Recommendations

GAO is making nine recommendations that methods be developed for determining framework adoption by the sector-specific agencies across their respective sectors, in consultation with their respective sector partner(s), such as the sector coordinating councils, the Department of Homeland Security, and NIST, as appropriate. Five agencies agreed with the recommendations, while four others neither agreed nor disagreed.

Recommendations for Executive Action

Agency Affected Recommendation Status
Department of Agriculture
Priority Rec.
This is a priority recommendation.
1. The Secretary of Agriculture, in cooperation with the Secretary of Health and Human Services, should take steps to consult with respective sector partner(s), such as the sector coordinating council (SCC), Department of Homeland Security (DHS) and NIST, as appropriate, to develop methods for determining the level and type of framework adoption by entities across their respective sector. (Recommendation 1)
Open
In written comments, United States Department of Agriculture (USDA) neither agreed nor disagreed with the recommendation in our report, but stated that it would attempt to develop a measurement mechanism as part of its annual data calls to the Food and Agriculture Sector. Specifically, officials stated that the diversity of the sector makes it difficult to develop a method for determining the level and type of framework adoption across the sector that would apply to all members. USDA officials added, however, that the sector coordinating council frequently invites the Department of Homeland Security to semi-annual meetings to present on both the threat to cybersecurity and resources available to support the needs of the sector. However, as of January 2020, USDA officials had yet to develop methods to determine the level and type of framework adoption. Implementing our recommendations to gain a more comprehensive understanding of the framework's use by critical infrastructure sectors is essential to the success of protection efforts.
Department of Defense
Priority Rec.
This is a priority recommendation.
2. The Secretary of Defense should take steps to consult with respective sector partner(s), such as the SCC, DHS and NIST, as appropriate, to develop methods for determining the level and type of framework adoption by entities across their respective sector. (Recommendation 2)
Closed - Implemented
As of November 2019, the Department of Defense (DOD), in coordination with the Defense Industrial Base sector, had developed a process to monitor the level or extent to which all contracts (not including commercial-off-the-shelf contracts) were or were not adhering to the cybersecurity requirements in DOD acquisition regulations. The regulations call for organizations to implement the security requirements in NIST SP 800-171, which is mapped to the functional areas of the cybersecurity framework. By doing so, DOD is able to determine the level at which the sector organizations are implementing the framework and the type of framework adoption through the mapping to the functional areas.
Department of Energy
Priority Rec.
This is a priority recommendation.
3. The Secretary of Energy should take steps to consult with respective sector partner(s), such as the SCC, DHS and NIST, as appropriate, to develop methods for determining the level and type of framework adoption by entities across their respective sector. (Recommendation 3)
Open
The Department of Energy (DOE) stated that it worked with stakeholders to better align the Cybersecurity Capability Maturity Model (C2M2) with the updated NIST Cybersecurity Framework but did not provide specific information regarding the adoption or use of the framework. To fully address the recommendation, DOE should have a more comprehensive understanding of the framework's use by sector entities if DOE, along with other entities, want to ensure that its facilitation efforts are successful and determine whether organizations are realizing positive results by adopting the framework. We will continue to monitor DOE actions in response to this recommendation.
Environmental Protection Agency
Priority Rec.
This is a priority recommendation.
4. The Administrator of the Environmental Protection Agency should take steps to consult with respective sector partner(s), such as the SCC, DHS and NIST, as appropriate, to develop methods for determining the level and type of framework adoption by entities across their respective sector. (Recommendation 4)
Open
In written comments, EPA did not explicitly state whether it agreed or disagreed with our recommendation, but said that several factors constrain the agency from implementing the recommendation. EPA also said it agrees that a comprehensive assessment of framework adoption within the water sector would assist with evaluating and tailoring efforts to promote its use. Further, the agency stated that it will continue to work with the Water Sector Coordinating Council and sector partners to promote and facilitate adoption of the cybersecurity framework. The agency also suggested options related to developing cross-sector metrics and survey methods and stated that it will collect available data that may be characterized as cybersecurity framework "awareness," such as downloads of guidance materials and participation in classroom trainings and webinars. However, as of February 2020, EPA had yet to develop methods to determine the level and type of framework adoption. Officials identified steps the department is taking to facilitate framework use. Specifically, EPA officials told us that the agency will coordinate with its Sector Coordinating Council to identify appropriate means to collect and report information, including a survey, to determine the level and type of framework adoption. They explained that, in the past, the water sector expressed concerns with sharing sensitive cybersecurity information and in developing metrics to evaluate cybersecurity practices. . However, EPA officials stated that they have conducted training, webcasts, and outreach related to cybersecurity, including using the framework and tailoring its efforts to sector needs. According to EPA officials, the agency's goal in doing so was to ensure that sector organizations understood the importance of the framework. While the agency has some ongoing initiatives, implementing our recommendation to gain a more comprehensive understanding of the framework's use by its critical infrastructure sector is essential to the success of protection efforts.
General Services Administration
Priority Rec.
This is a priority recommendation.
5. The Administrator of General Services, in cooperation with the Secretary of Homeland Security, should take steps to consult with respective sector partner(s), such as the Coordinating Council and NIST, as appropriate, to develop methods for determining the level and type of framework adoption by entities across their respective sector. (Recommendation 5)
Closed - Implemented
As of February 2020, the federal departments and agencies that form the government facilities sector had submitted their risk management reports to the Department of Homeland Security and the Office of Management and Budget (OMB) that described agencies' action plans to implement the framework, as required under Executive Order 13800. The risk management assessments are included as part of OMB's Federal Information Security Modernization Act Annual Report to Congress. As a result, the reports could be used as a resource to inform the level and type of framework adoption.
Department of Health and Human Services
Priority Rec.
This is a priority recommendation.
6. The Secretary of Health and Human Services, in cooperation with the Secretary of Agriculture, should take steps to consult with respective sector partner(s), such as the SCC, DHS and NIST, as appropriate, to develop methods for determining the level and type of framework adoption by entities across their respective sector. (Recommendation 6)
Open
In written comments, the Department of Health and Human Services (HHS) concurred with the recommendation in our report and stated that it would work with appropriate entities to assist in sector adoption. In February 2020, HHS officials reported that in collaboration with NIST and a joint Cybersecurity Working Group, the agency developed 10 best practices in May 2017 (Health Industry Cybersecurity Practices) for the Healthcare and Public Health Services sector based on the framework. These practices allowed stakeholders to identify how to use the framework with existing sector resources by raising awareness and providing vetted cybersecurity practices to enable the organizations to mitigate cybersecurity threats to the sector. In addition, officials from HHS's Assistant Secretary for Preparedness and Response (ASPR) stated that the working group discussed the challenges associated with measuring the use and impact of the NIST framework, and approved the establishment of a task group to further investigate the issue. ASPR officials added that some of the ideas discussed included the use of surveys and identification of a set of voluntary reporting indicators. In its fiscal year 2021 budget justification, HHS noted that it participated in a Health Care Sector Coordinating Council (SCC) Cybersecurity Working Group survey that was sent to group members in June 2019. However, while the survey included a question on the extent a working group member used the framework, SCC officials stated that the survey results were not statistically meaningful. As of March 2021, the agency did not have any updates to report. While the department has ongoing initiatives, it had yet to develop methods to determine the level and type of framework adoption. Implementing our recommendations to gain a more comprehensive understanding of the framework's use by critical infrastructure sectors is essential to the success of protection efforts. We are in the process of starting a new engagement that will provide further updates to this recommendation.
Department of Homeland Security
Priority Rec.
This is a priority recommendation.
7. The Secretary of Homeland Security, in cooperation with the co-SSAs as necessary, should take steps to consult with respective sector partner(s), such as the SCC, and NIST, as appropriate, to develop methods for determining the level and type of framework adoption by entities across their respective sectors. (Recommendation 7)
Open
In written comments, the Department of Homeland Security (DHS) concurred with the recommendation in our report and stated that its National Protection and Programs Directorate, as the sector-specific agency for 9 of the 16 critical infrastructure sectors, will continue to work closely with its private sector partners to ensure framework adoption is a priority. Additionally, the department stated that the directorate will work closely with its private sector partners to better understand the extent of framework adoption and barriers to adoption by entities across their respective sectors. As of January 2020, the department had begun taking steps to develop methods to determine the level and type of framework adoption in the respective sectors. Specifically, in October 2019, DHS, in coordination with its Information Technology (IT) sector partner, administered a survey to all small and midsized IT sector organizations to gather information on, among other things, framework use and plans to report on the results in 2020. DHS officials stated that any small or mid-sized business across all critical infrastructure sectors could complete the survey and that the department had promoted the survey to all sectors.
Department of Transportation
Priority Rec.
This is a priority recommendation.
8. The Secretary of Transportation, in cooperation with the Secretary of Homeland Security, should take steps to consult with respective sector partner(s), such as the SCC, DHS and NIST, as appropriate, to develop methods for determining the level and type of framework adoption by entities across their respective sector. (Recommendation 8)
Open
As of January 2020, the department had begun taking steps to develop methods to determine the level and type of framework adoption in the respective sectors. Specifically, officials in the Department of Transportation's (DOT) Office of Intelligence, Security, and Emergency Response, in coordination with the Department of Homeland Security (DHS), told us that they planned to develop and distribute a survey to the Transportation Systems sector to determine the level and type of framework adoption. DOT officials stated that the draft survey was undergoing DHS legal review and that the completion of the review and subsequent Office of Management and Budget review would determine when the survey is approved for distribution.
Department of the Treasury
Priority Rec.
This is a priority recommendation.
9. The Secretary of Treasury should take steps to consult with respective sector partner(s), such as the SCC, DHS and NIST, as appropriate, to develop methods for determining the level and type of framework adoption by entities across their respective sector. (Recommendation 9)
Open
The Department of the Treasury neither agreed nor disagreed with the recommendation in our report. The department stated that it will assess using the identified initiatives and their viability for collecting and reporting sector-wide improvements from use of the framework with input from the sector coordinating council (SCC) and financial regulators. In January 2020, the department had yet to develop methods to determine the level and type of framework adoption. Treasury officials stated that the department, in coordination with the Financial and Banking Information Infrastructure Committee, and in consultation with NIST, developed the Cybersecurity Lexicon in March 2018. The lexicon addressed, among other things, common terminology for cyber terms used in the framework. Additionally, the Financial Services sector, in consultation with NIST, created the Financial Service Sector Cybersecurity Profile (profile) in October 2018, which mapped the framework core to existing regulations and guidance, such as the Commodity Futures Trading Commission System Safeguards Testing Requirements. Officials stated that these efforts will facilitate the use of the framework. As of March 2021, the agency did not have any updates to report. While the department has ongoing initiatives, implementing our recommendations to gain a more comprehensive understanding of the framework's use by critical infrastructure sectors is essential to the success of protection efforts. We will continue to monitor the agency's progress in implementing our recommendation.

Full Report

GAO Contacts