Critical Infrastructure Protection: Additional Actions Needed to Identify Framework Adoption and Resulting Improvements
Fast Facts
Q: How does the government help keep banks, water systems, and other critical infrastructure from getting hacked?
A: A federal agency that issues standards and procedures—NIST—has a cybersecurity framework that critical infrastructure organizations can adopt.
All 12 organizations in our review were voluntarily using the framework, and told us they’ve seen benefits. For example, one organization said that the framework allowed it to better identify and address cybersecurity risks.
However, the agencies with lead roles in protecting critical infrastructure are not collecting or reporting on improvements from using the framework as we recommended.
Lock and laptop
Highlights
What GAO Found
Most of the nine agencies with a lead role in protecting the 16 critical infrastructure sectors, as established by federal policy and referred to as sector-specific agencies (SSAs), have not developed methods to determine the level and type of adoption of the National Institute of Standards and Technology's (NIST) Framework for Improving Critical Infrastructure Cybersecurity (framework), as GAO previously recommended. Specifically, two of the nine SSAs had developed methods and two others had begun taking steps to do so. The remaining five SSAs did not yet have methods to determine framework adoption. Most of the sectors (13 of 16), however, noted that they had taken steps to encourage and facilitate use of the framework, such as developing implementation guidance that links existing sector cybersecurity tools, standards, and approaches to the framework. In addition, all of the 12 selected organizations that GAO interviewed described either fully or partially using the framework. Nevertheless, implementing GAO's recommendations to the SSAs to determine the level and type of adoption remains essential to the success of protection efforts.
The 12 selected organizations using the framework reported varying levels of resulting improvements. Such improvements included identifying risks and implementing common standards and guidelines. However, the SSAs have not collected and reported sector-wide improvements. The SSAs and organizations identified impediments to doing so, including the (1) lack of precise measurements of improvement, (2) lack of a centralized information sharing mechanism, and (3) voluntary nature of the framework. NIST and the Department of Homeland Security (DHS) have initiatives to help address these impediments.
- Precise measurements: NIST is in the process of developing an information security measurement program that aims to provide the tools and guidance to support the development of information security measures that are aligned with an individual organization's objectives. However, NIST has not established a time frame for the completion of the measurement program.
- Centralized sharing: DHS identified its homeland security information network as a tool that was intended to be the primary system that could be used by all sectors to report on best practices, including sector-wide improvements and lessons learned from using the framework.
- Voluntary nature: In April 2019, NIST issued its NIST Roadmap for Improving Critical Infrastructure Cybersecurity , version 1.1, which included a tool for organizations to self-assess how effectively they manage cybersecurity risks and identify improvement opportunities.
While these initiatives are encouraging, the SSAs have not yet reported on sector-wide improvements. Until they do so, the extent to which the 16 critical infrastructure sectors are better protecting their critical infrastructures from threats will be largely unknown.
Why GAO Did This Study
Cyber threats to the nation's critical infrastructure (e.g., financial services and energy sectors) continue to increase and represent a significant national security challenge. To better address such threats, NIST developed, as called for by federal law, a voluntary framework of cybersecurity standards and procedures.
The Cybersecurity Enhancement Act of 2014 included provisions for GAO to review aspects of the framework. The objectives of this review were to determine the extent to which (1) SSAs have developed methods to determine framework adoption and (2) implementation of the framework has led to improvements in the protection of critical infrastructure from cyber threats. GAO analyzed documentation, such as implementation guidance, plans, and survey instruments. GAO also conducted semi-structured interviews with 12 organizations, representing six infrastructure sectors, to understand the level of framework use and related improvements and challenges. GAO also interviewed agency and private sector officials.
Recommendations
GAO is making ten recommendations—one to NIST on establishing time frames for completing selected programs—and nine to the SSAs to collect and report on improvements gained from using the framework. Eight agencies agreed with the recommendations, while one neither agreed nor disagreed and one partially agreed. GAO continues to believe that all ten recommendations are warranted.
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| Office of the Director | The Director of NIST should establish time frames for completing NIST's initiatives, to include the information security measurement program and the cybersecurity framework starter profile, to enable the identification of sector-wide improvements from using the framework in the protection of critical infrastructure from cyber threats. (Recommendation 1) | NIST established time frames and completed initiatives that may help sector risk management agencies (SRMAs) address some of the challenges in measuring improvements from sector entities' use of the framework. Specifically, NIST launched its Measurements for Information Security program and associated website in September 2020. The website included links to tools, guidance, and other resources for organizations to better manage cybersecurity risk. With the establishment of this program and website, NIST can help address the challenge of developing precise measurements of improvement and measuring the direct impact of using the framework. In addition, NIST worked with the National... Cybersecurity Alliance to publish five small business cybersecurity case studies. According to NIST officials, small businesses wanted examples of the framework applied to case studies in lieu of creating starter profiles that NIST was previously considering. The case studies include actions that are aligned to the framework, lessons learned, and resources that small businesses could use to handle common cybersecurity issues and realize improvements from use of the framework. Issues that the case studies address include automated teller machine skimming, keylogging, malware, and bank fraud; encryption and business security standards; social engineering and phishing; and data breaches. The case studies help address the challenge that SRMAs identified regarding the lack of use cases. By implementing our recommendation and completing these important initiatives, NIST's efforts help SRMAs address challenges in identifying sector-wide improvements from using the framework.
View More |
| Department of Agriculture | The Secretary of Agriculture, in coordination with the Secretary of Health and Human Services, should take steps to consult with respective sector partner(s), such as the SCC, DHS, and NIST, as appropriate, to collect and report sector-wide improvements from use of the framework across its critical infrastructure sector using existing initiatives. (Recommendation 2) | USDA concurred with our recommendation and has taken multiple steps to determine NIST cybersecurity framework use in the food and agriculture sector. For example, USDA, in collaboration with the Food and Drug Administration, distributed several requests for information to sector members that include questions regarding framework adoption and resulting improvements. In addition, USDA requested feedback from sector partners and made subsequent changes to its data call questionairre. Further, USDA officials stated that they requested input on framework adoption and improvements from the Sector Coordinating Council and Information Sharing and Analysis Center. As of January 2025, USDA...
|
| Office of the Secretary of Defense | The Secretary of Defense should take steps to consult with respective sector partner(s), such as the SCC, DHS, and NIST, as appropriate, to collect and report sector-wide improvements from use of the framework across its critical infrastructure sector using existing initiatives. (Recommendation 3) | The Department of Defense (DOD) concurred with our recommendation and has taken actions to implement it. In December 2023, DOD demonstrated that its Office of the Chief Information Officer measured improvements among sector entities in adopting cybersecurity practices associated with the DOD Cyber Crime Center's cyber resilience analysis. In addition, in February 2024 DOD demonstrated that it had mapped cybersecurity practices in its cyber resilience analysis with practices from NIST Special Publication 800-171 and the NIST cybersecurity framework. According to DOD, sector entities who conducted multiple cyber resilience analyses resulted in an average improvement rate of 42 percent in...
|
| Office of the Secretary of the Department of Energy | The Secretary of Energy should take steps to consult with respective sector partner(s), such as the SCC, DHS, and NIST, as appropriate, to collect and report sector-wide improvements from use of the framework across its critical infrastructure sector using existing initiatives. (Recommendation 4) | The Department of Energy (DOE) partially concurred with our recommendation and stated that it will coordinate with the energy sector to develop an understanding of sector-wide improvements from use of the NIST cybersecurity framework. In August 2023, DOE, in coordination with a third-party contractor, identified strengths and weaknesses in the energy sector's implementation of the NIST cybersecurity framework based on its analysis of sector entity self-assessments. As a result of these efforts, DOE identified next steps for helping the energy sector improve its cybersecurity and resilience posture. While DOE has taken action to assess the sector's implementation of the NIST cybersecurity...
|
| Environmental Protection Agency | The Administrator of the Environmental Protection Agency should take steps to consult with respective sector partner(s), such as the SCC, DHS, and NIST, as appropriate, to collect and report sector-wide improvements from use of the framework across its critical infrastructure sector using existing initiatives. (Recommendation 5) | EPA identified improvements to the water and wastewater sector through its technical assistance and assessments. Specifically, EPA launched a voluntary Technical Assistance Provider Initiative to provide cybersecurity assistance and create cybersecurity action plans for sector members. As part of the initiative, EPA's Office of Groundwater and Drinking Water developed metrics based on the framework, which it used to identify improvements resulting, in part, from use of the framework. As of October 2021, 146 utilities had completed both an initial assessment and two follow-up assessments. The data on improvements and progress made included growth that the entities have collectively made...
|
| GSA Office of the Administrator | The Administrator of the General Services Administration, in coordination with the Secretary of Homeland Security, should take steps to consult with respective sector partner(s), such as the Coordinating Council and NIST, as appropriate, to collect and report sector-wide improvements from use of the framework across its critical infrastructure sector using existing initiatives. (Recommendation 6) | GSA, in coordination with its co-sector risk management agency, the Department of Homeland Security's (DHS) Federal Protective Service, identified improvements to the government facilities sector from the sector's use of the framework. Through Executive Order 13800, federal agencies that make up the government facilities sector were directed to provide a risk management report to the Office of Management and Budget (OMB) and DHS, where agencies were assessed against the five functional areas of the framework. After receiving risk management reports from sector organizations, OMB identified four areas where agencies needed to improve their cybersecurity programs in its May 2018 Federal...
|
| Office of the Secretary for HHS | The Secretary of Health and Human Services, in coordination with the Secretary of Agriculture, should take steps to consult with respective sector partner(s), such as the SCC, DHS, and NIST, as appropriate, to collect and report sector-wide improvements from use of the framework across its critical infrastructure sector using existing initiatives. (Recommendation 7) | The Department of Health and Human Services (HHS) agreed with this recommendation and has taken steps to implement it. In April 2023, HHS, in collaboration with the Healthcare and Public Health Sector Coordinating Council, published the Hospital Cyber Resiliency Initiative: Landscape Analysis. HHS's analysis describes industry adoption of the NIST cybersecurity framework based on the results from a third-party survey sent to hospitals. HHS found that hospitals responding to the survey adopted 70.7% of the NIST cybersecurity framework. HHS also evaluated the extent to which the responding hospitals adopted the five core functions of the cybersecurity framework and associated...
|
| Office of the Secretary for DHS | The Secretary of Homeland Security should take steps to consult with respective sector partner(s), such as the SCC and NIST, as appropriate, to collect and report sector-wide improvements from use of the framework across its critical infrastructure sectors using existing initiatives. (Recommendation 8) | DHS concurred with and has taken steps to implement our recommendation. Specifically, the department developed cross-sector cybersecurity performance goals that outline high-priority, baseline measures that businesses and critical infrastructure owners of all sizes can take to protect themselves from cyber threats. Each goal aligns with a corresponding practice in the NIST cybersecurity framework. Thus, the cross-sector performance goals can provide a basis for DHS and other sector risk management agencies to better understand and evaluate the extent to which individual sectors have realized improvements from the framework. DHS tracked cybersecurity improvements that organizations...
|
| Office of the Secretary for DOT | The Secretary of Transportation, in coordination with the Secretary of Homeland Security, should take steps to consult with respective sector partner(s) such as the SCC and NIST, as appropriate, to collect and report sector-wide improvements from use of the framework across its critical infrastructure sector using existing initiatives. (Recommendation 9) | The Department of Transportation (DOT) agreed with this recommendation and has taken actions to implement it. DOT, in coordination with its co-sector risk management agency the Department of Homeland Security (DHS), developed and analyzed the results of a survey to determine the transportation systems sector's adoption and use of the NIST cybersecurity framework. Among other things, the agencies found that sector entities who converted to using the NIST framework after becoming aware of it did so because of the value those organizations believed the framework added. DOT and DHS measured the value that the framework provided to organizations by asking how it helped them understand or...
|
| Office of the Secretary for Treasury | The Secretary of the Treasury should take steps to consult with respective sector partner(s), such as the SCC, DHS, and NIST, as appropriate, to collect and report sector-wide improvements from use of the framework across its critical infrastructure sector using existing initiatives. (Recommendation 10) | Treasury neither agreed nor disagreed with this recommendation, stating that it does not have the authority to compel financial institutions to respond to inquiries regarding the sector's use of the framework or resulting improvements. In January 2023, Treasury identified plans to collaborate with the financial services sector to develop metrics on sector risk mitigation efforts and methods to determine framework adoption. However, as of February 2025 Treasury has not yet completed these efforts or provided a time frame for doing so. To implement our recommendation, Treasury needs to demonstrate that it has taken steps to consult with sector partners on ways to collect and report on...
|