Critical Infrastructure Protection: Additional Actions Needed to Identify Framework Adoption and Resulting Improvements

GAO-20-299 Published: Feb 25, 2020. Publicly Released: Feb 25, 2020.
Jump To:
Fast Facts

Q: How does the government help keep banks, water systems, and other critical infrastructure from getting hacked?

A: A federal agency that issues standards and procedures—NIST—has a cybersecurity framework that critical infrastructure organizations can adopt.

All 12 organizations in our review were voluntarily using the framework, and told us they’ve seen benefits. For example, one organization said that the framework allowed it to better identify and address cybersecurity risks.

However, the agencies with lead roles in protecting critical infrastructure are not collecting or reporting on improvements from using the framework as we recommended.

Lock and laptop

Lock and laptop

Highlights

What GAO Found

Most of the nine agencies with a lead role in protecting the 16 critical infrastructure sectors, as established by federal policy and referred to as sector-specific agencies (SSAs), have not developed methods to determine the level and type of adoption of the National Institute of Standards and Technology's (NIST) Framework for Improving Critical Infrastructure Cybersecurity (framework), as GAO previously recommended. Specifically, two of the nine SSAs had developed methods and two others had begun taking steps to do so. The remaining five SSAs did not yet have methods to determine framework adoption. Most of the sectors (13 of 16), however, noted that they had taken steps to encourage and facilitate use of the framework, such as developing implementation guidance that links existing sector cybersecurity tools, standards, and approaches to the framework. In addition, all of the 12 selected organizations that GAO interviewed described either fully or partially using the framework. Nevertheless, implementing GAO's recommendations to the SSAs to determine the level and type of adoption remains essential to the success of protection efforts.

The 12 selected organizations using the framework reported varying levels of resulting improvements. Such improvements included identifying risks and implementing common standards and guidelines. However, the SSAs have not collected and reported sector-wide improvements. The SSAs and organizations identified impediments to doing so, including the (1) lack of precise measurements of improvement, (2) lack of a centralized information sharing mechanism, and (3) voluntary nature of the framework. NIST and the Department of Homeland Security (DHS) have initiatives to help address these impediments.

  • Precise measurements: NIST is in the process of developing an information security measurement program that aims to provide the tools and guidance to support the development of information security measures that are aligned with an individual organization's objectives. However, NIST has not established a time frame for the completion of the measurement program.
  • Centralized sharing: DHS identified its homeland security information network as a tool that was intended to be the primary system that could be used by all sectors to report on best practices, including sector-wide improvements and lessons learned from using the framework.
  • Voluntary nature: In April 2019, NIST issued its NIST Roadmap for Improving Critical Infrastructure Cybersecurity , version 1.1, which included a tool for organizations to self-assess how effectively they manage cybersecurity risks and identify improvement opportunities.

While these initiatives are encouraging, the SSAs have not yet reported on sector-wide improvements. Until they do so, the extent to which the 16 critical infrastructure sectors are better protecting their critical infrastructures from threats will be largely unknown.

Why GAO Did This Study

Cyber threats to the nation's critical infrastructure (e.g., financial services and energy sectors) continue to increase and represent a significant national security challenge. To better address such threats, NIST developed, as called for by federal law, a voluntary framework of cybersecurity standards and procedures.

The Cybersecurity Enhancement Act of 2014 included provisions for GAO to review aspects of the framework. The objectives of this review were to determine the extent to which (1) SSAs have developed methods to determine framework adoption and (2) implementation of the framework has led to improvements in the protection of critical infrastructure from cyber threats. GAO analyzed documentation, such as implementation guidance, plans, and survey instruments. GAO also conducted semi-structured interviews with 12 organizations, representing six infrastructure sectors, to understand the level of framework use and related improvements and challenges. GAO also interviewed agency and private sector officials.

Recommendations

GAO is making ten recommendations—one to NIST on establishing time frames for completing selected programs—and nine to the SSAs to collect and report on improvements gained from using the framework. Eight agencies agreed with the recommendations, while one neither agreed nor disagreed and one partially agreed. GAO continues to believe that all ten recommendations are warranted.

Recommendations for Executive Action

Agency Affected Recommendation Status
Office of the Director The Director of NIST should establish time frames for completing NIST's initiatives, to include the information security measurement program and the cybersecurity framework starter profile, to enable the identification of sector-wide improvements from using the framework in the protection of critical infrastructure from cyber threats. (Recommendation 1)
Closed – Implemented
NIST established time frames and completed initiatives that may help sector risk management agencies (SRMAs) address some of the challenges in measuring improvements from sector entities' use of the framework. Specifically, NIST launched its Measurements for Information Security program and associated website in September 2020. The website included links to tools, guidance, and other resources for organizations to better manage cybersecurity risk. With the establishment of this program and website, NIST can help address the challenge of developing precise measurements of improvement and measuring the direct impact of using the framework. In addition, NIST worked with the National Cybersecurity Alliance to publish five small business cybersecurity case studies. According to NIST officials, small businesses wanted examples of the framework applied to case studies in lieu of creating starter profiles that NIST was previously considering. The case studies include actions that are aligned to the framework, lessons learned, and resources that small businesses could use to handle common cybersecurity issues and realize improvements from use of the framework. Issues that the case studies address include automated teller machine skimming, keylogging, malware, and bank fraud; encryption and business security standards; social engineering and phishing; and data breaches. The case studies help address the challenge that SRMAs identified regarding the lack of use cases. By implementing our recommendation and completing these important initiatives, NIST's efforts help SRMAs address challenges in identifying sector-wide improvements from using the framework.
Department of Agriculture The Secretary of Agriculture, in coordination with the Secretary of Health and Human Services, should take steps to consult with respective sector partner(s), such as the SCC, DHS, and NIST, as appropriate, to collect and report sector-wide improvements from use of the framework across its critical infrastructure sector using existing initiatives. (Recommendation 2)
Open
In written comments, the United States Department of Agriculture (USDA) stated that it concurred with our recommendation. USDA and its co-sector risk management agency (SRMA), the Department of Health and Human Services (HHS), have taken initial steps to identify improvements across the food and agriculture sector, but had not yet identified improvements. Specifically, USDA's Office of Homeland Security, in coordination with HHS's Food and Drug Administration, distributed a voluntary request for information to the food and agriculture sector. The request for information asked sector members about improvements from use of the framework. Due to the low response rate, USDA and HHS could not collect and report improvements based on this request for information. As of October 2021, officials from USDA's Office of Homeland Security did not have additional plans for collecting and reporting improvements from the use of the framework; however, according to agency officials, the department is in the process of preparing a request for information for the fiscal year 2021 Sector Annual Report and may repeat the request for framework data. Until the agency implements our recommendation to collect and report sector-wide improvements, it will not fully understand the value of the framework in protecting the sector from cyber threats. We will continue to monitor the agency's progress in implementing our recommendation.
Office of the Secretary of Defense The Secretary of Defense should take steps to consult with respective sector partner(s), such as the SCC, DHS, and NIST, as appropriate, to collect and report sector-wide improvements from use of the framework across its critical infrastructure sector using existing initiatives. (Recommendation 3)
Open
In written comments, the Department of Defense (DOD) concurred with our recommendation. DOD has not yet identified sector-wide improvements from use of the framework. However, the agency took steps to encourage improvements in cybersecurity through use of the framework. Specifically, DOD promoted its Defense Industrial Base Guide to Implementing the Cybersecurity Framework to encourage framework usage and provide resources to entities within the sector. The department also reported that it used its Defense Industrial Base Cybersecurity Assessment Center process to assess contractor implementation of NIST Special Publication 800-171, which the department mapped to the framework. The agency has not yet determined whether the Defense Industrial Base Cybersecurity Assessment Center process or other approaches could be used to measure improvements across the sector. According to officials in DOD's Office of the Chief Information Officer, the agency has focused on ensuring that appropriate cybersecurity requirements are mandated (through regulatory means) and are followed by entities within the sector. Until the agency implements our recommendation to collect and report sector-wide improvements, it will not fully understand the value of the framework in protecting the sector from cyber threats. We will continue to monitor the agency's progress in implementing our recommendation.
Office of the Secretary of the Department of Energy The Secretary of Energy should take steps to consult with respective sector partner(s), such as the SCC, DHS, and NIST, as appropriate, to collect and report sector-wide improvements from use of the framework across its critical infrastructure sector using existing initiatives. (Recommendation 4)
Open
In written comments, the Department of Energy (DOE) stated that it partially agreed with our recommendation. DOE has taken initial steps to identify improvements across the energy sector, but it has not yet identified improvements. Specifically, DOE took initial steps to gather information from energy sector members regarding the framework and DOE's Cybersecurity Capability Maturity Model implementation. According to officials from the department's Office of Cybersecurity, Energy Security, and Emergency Response, of the 57 sector members who responded to questions about framework use, 12 members reported making improvements in foundational cybersecurity practices from use of the framework, seven reported making improvements in cyber incident response, and 11 reported making improvements in cyber risk management. However, officials from DOE's Office of Cybersecurity, Energy Security, and Emergency Response believed that the agency needed to obtain additional information to identify sector-wide improvements. To facilitate this effort, DOE developed an action plan for additional steps the agency could take to measure improvements. For instance, the action plan identified steps DOE could take to gather broader feedback, such as through trade associations and sector owners and operators. Officials from DOE's Office of Cybersecurity, Energy Security, and Emergency Response also noted that they are developing the National Rural Electric Cooperative Association's Rural Cooperative Cybersecurity Capabilities program to further improve cybersecurity for small- and mid-sized entities in the sector. Once the department fully executes its action plan, DOE may be in the position to collect and report sector-wide improvements across its sector from framework use. We will continue to monitor the agency's progress in implementing our recommendation.
Environmental Protection Agency The Administrator of the Environmental Protection Agency should take steps to consult with respective sector partner(s), such as the SCC, DHS, and NIST, as appropriate, to collect and report sector-wide improvements from use of the framework across its critical infrastructure sector using existing initiatives. (Recommendation 5)
Closed – Implemented
EPA identified improvements to the water and wastewater sector through its technical assistance and assessments. Specifically, EPA launched a voluntary Technical Assistance Provider Initiative to provide cybersecurity assistance and create cybersecurity action plans for sector members. As part of the initiative, EPA's Office of Groundwater and Drinking Water developed metrics based on the framework, which it used to identify improvements resulting, in part, from use of the framework. As of October 2021, 146 utilities had completed both an initial assessment and two follow-up assessments. The data on improvements and progress made included growth that the entities have collectively made in each of the five functional areas of the NIST framework, as well as more specific cybersecurity activities, such as developing a list of cybersecurity best practices and conducting cybersecurity training. For example, during the initial assessment, entities reported implementing 38 percent of the activities that covered the five functional areas of the framework. After two follow-up assessments, the entities reported that they increased their implementation to 50 percent of the framework's cybersecurity activities. This represented an approximately 32 percent increase in the number of protections against cyber risks, and an overall improvement in the sector entities' cybersecurity from use of the framework. By implementing our recommendation, EPA has a better understanding of the value of the framework in protecting the water and wastewater sector from cyber threats.
GSA Office of the Administrator The Administrator of the General Services Administration, in coordination with the Secretary of Homeland Security, should take steps to consult with respective sector partner(s), such as the Coordinating Council and NIST, as appropriate, to collect and report sector-wide improvements from use of the framework across its critical infrastructure sector using existing initiatives. (Recommendation 6)
Closed – Implemented
GSA, in coordination with its co-sector risk management agency, the Department of Homeland Security's (DHS) Federal Protective Service, identified improvements to the government facilities sector from the sector's use of the framework. Through Executive Order 13800, federal agencies that make up the government facilities sector were directed to provide a risk management report to the Office of Management and Budget (OMB) and DHS, where agencies were assessed against the five functional areas of the framework. After receiving risk management reports from sector organizations, OMB identified four areas where agencies needed to improve their cybersecurity programs in its May 2018 Federal Cybersecurity Risk Determination Report and Action Plan. The four areas of improvement included cybersecurity threat awareness; information technology and cybersecurity standardization; security operations center consolidation; and agency accountability. GSA, working with DHS and OMB, identified that agencies in the government facilities sector had taken several steps that resulted in improvements in these four areas. For example, to address the cybersecurity threat awareness improvement area, officials from the GSA, DHS, and OMB stated that the Office of the Director of National Intelligence published the Cyber Threat Framework to increase cybersecurity threat awareness. Additionally, to address the information technology and cybersecurity standardization improvement area, DHS's Continuous Diagnostics and Mitigation program helped achieve information technology and cybersecurity standardization by providing tools and services that collect and display standardized information to improve cybersecurity posture. Further, to address the security operations center consolidation area of improvement, DHS's Cybersecurity and Infrastructure Security Agency delivered core capability standards that are used to group services for future consolidation of security operation centers. By implementing our recommendation, GSA and DHS have a better understanding of the value of the framework in protecting the government facilities sector from cyber threats.
Office of the Secretary for HHS The Secretary of Health and Human Services, in coordination with the Secretary of Agriculture, should take steps to consult with respective sector partner(s), such as the SCC, DHS, and NIST, as appropriate, to collect and report sector-wide improvements from use of the framework across its critical infrastructure sector using existing initiatives. (Recommendation 7)
Open
In written comments, the Department of Health and Human Services (HHS) stated that it concurred with our recommendation. HHS does not yet have efforts underway to identify sector-wide improvements from use of the framework. However, the agency has taken steps to encourage improvement in cybersecurity through use of the framework. Specifically, officials noted that 192 health care and public health entities within the sector are participating in the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency's cybersecurity assessments and vulnerability scanning to identify cyber vulnerabilities and risks. Aggregated assessment results showed the percentage of entities that had experienced certain vulnerabilities, such as running an unsupported operating system or risky service on an internet-accessible host. Officials from HHS's Office of the Assistant Secretary for Preparedness and Response noted that if the assessments were done periodically and entities were asked about their framework usage ahead of time, assessments could be used to determine improvements from framework use. HHS officials noted that they are having conversations with CISA about the possibility of incorporating questions regarding framework use into these assessments, but there is no time frame for when this might occur. In addition, according to officials in HHS's Office of the Assistant Secretary for Preparedness and Response, the agency plans to update the Healthcare and Public Health Sector Cybersecurity Framework Implementation Guide. Among other things, the agency intends to include a section on measurement and progress tracking by providing a method of comparing current cybersecurity profiles to target cybersecurity profiles that meet framework standards. Officials from the Office of the Assistant Secretary for Preparedness and Response stated that, following these steps, HHS intends to consider how best to collect and report sector-wide improvements. Until the agency implements our recommendation to collect and report sector-wide improvements, it will not fully understand the value of the framework in protecting the sector from cyber threats. We will continue to monitor the agency's progress in implementing our recommendation.
Office of the Secretary for DHS The Secretary of Homeland Security should take steps to consult with respective sector partner(s), such as the SCC and NIST, as appropriate, to collect and report sector-wide improvements from use of the framework across its critical infrastructure sectors using existing initiatives. (Recommendation 8)
Open
In written comments, the Department of Homeland Security (DHS) stated that it agreed with our recommendation. DHS does not yet have efforts underway to identify sector-wide improvements from use of the framework for the chemical; commercial facilities; communications; critical manufacturing; dams; emergency services; information technology; and nuclear reactors, materials, and waste sectors. Until the agency implements our recommendation to collect and report sector-wide improvements, it will not fully understand the value of the framework in protecting the sector from cyber threats. We will continue to monitor the agency's progress in implementing our recommendation.
Office of the Secretary for DOT The Secretary of Transportation, in coordination with the Secretary of Homeland Security, should take steps to consult with respective sector partner(s) such as the SCC and NIST, as appropriate, to collect and report sector-wide improvements from use of the framework across its critical infrastructure sector using existing initiatives. (Recommendation 9)
Open
In written comments, the Department of Transportation (DOT) stated that it concurred with our recommendation. DOT and its co-sector risk management agency (SRMA), the Department of Homeland Security (DHS), took initial steps to identify improvements across the transportation systems sector, but had not yet identified improvements. Specifically, DOT in coordination with DHS's Transportation Security Administration, sent out a survey to the transportation systems sector. In addition to questions regarding adoption, the survey also asked questions regarding whether the framework provided value to the sector organization in five categories: (1) determining areas for improvement and developing plans to achieve improvements, (2) managing or fulfilling cybersecurity requirements, (3) understanding or managing cybersecurity risk, (4) reducing risk, and (5) prioritizing the relative importance of cybersecurity requirements or activities. An open-ended question was also included in the survey for entities to provide additional information about improvements from their use of the framework. According to officials from DOT's Office of Intelligence, Security, and Emergency Response and DHS's Transportation Security Administration, the co-SRMAs are still analyzing the results of the survey and expect to complete its analysis by the end of March 2022. Once the agencies have collected and analyzed the responses, DOT and DHS may be in a position to collect and report improvements from use of the framework among entities within the transportation sector. We will continue to monitor the agency's progress in implementing our recommendation.
Office of the Secretary for Treasury The Secretary of the Treasury should take steps to consult with respective sector partner(s), such as the SCC, DHS, and NIST, as appropriate, to collect and report sector-wide improvements from use of the framework across its critical infrastructure sector using existing initiatives. (Recommendation 10)
Open
In written comments, Treasury stated that it agreed with our recommendation. Treasury does not yet have efforts underway to identify sector-wide improvements from use of the framework. However, the department has taken steps to encourage improvement in cybersecurity through use of the framework. Specifically, officials in Treasury's Office of Cybersecurity and Critical Infrastructure Protection stated that the financial services sector coordinating council developed a cybersecurity profile, which mapped the framework to other existing sector regulations and guidance. According to officials from the agency's Office of Cybersecurity and Critical Infrastructure Protection, Treasury does not currently have the authority or processes to collect and report sector-wide improvements on a regular basis. It is important that Treasury implements our previous recommendation to collect and report sector-wide improvements to fully understand the value of the framework and to better protect critical infrastructure from cyber threats. We will continue to monitor the agency's progress in implementing our recommendation.
See All 10 Recommendations

Full Report

Highlights Page (1 page)
Full Report (61 pages)
Accessible PDF (92 pages)
GAO Contacts
Office of Public Affairs
Topics
Homeland Security
Critical infrastructureCybersecurityBest practicesInformation sharingFinancial servicesCyberspace threatsHomeland securityInformation securityTransportationHealth careNational securityEnergy sectorsCritical infrastructure protectionPrivate sectorLessons learnedFederal lawInformation technologyEnvironmental protectionCommerce