Recommendation: The Chairman of the National Security Council, or his designee, should work with relevant federal entities to update strategy documents related to the nation's cybersecurity to better reflect desirable characteristics of a national strategy, to include:

• an assessment of cyber-related risk, based on an analysis of the threats to, and vulnerabilities of, critical assets and operations;

• measures of performance and formal mechanism to track progress of the execution of activities; and

• an analysis of the cost and resources needed to implement the National Cyber Strategy. (Recommendation 1)

Agency: Executive Office of the President: National Security Council
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: Congress should consider legislation to designate a leadership position in the White House with the commensurate authority—for example, over budgets and resources—to implement and encourage action in support of the nation's cyber critical infrastructure, including the implementation of the National Cyber Strategy. (Matter for Consideration 1)

Agency: Congress
Status: Open

Comments: When we determine what steps the Congress has taken, we will provide updated information.

Recommendation: Regarding financial sector cyber risk mitigation efforts, we recommend that the Secretary of the Treasury, in coordination with the Department of Homeland Security and other federal and nonfederal sector partners, track the content and progress of sectorwide cyber risk mitigation efforts, and prioritize their completion according to sector goals and priorities in the sector-specific plan. (Recommendation 1)

Agency: Department of the Treasury
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: Regarding the financial sector-specific plan, we recommend that the Secretary of the Treasury, in coordination with the Department of Homeland Security and other federal and nonfederal sector partners, update the financial services sector-specific plan to include specific metrics for measuring the progress of risk mitigation efforts and information on how the sector's ongoing and planned risk mitigation efforts will meet sector goals and requirements, such as requirements for the financial services sector in the National Cyber Strategy Implementation Plan. (Recommendation 2)

Agency: Department of the Treasury
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Assistant Director of the Infrastructure Security Division should implement a documented process for reviewing and, if deemed necessary, revising its guidance for implementing cybersecurity measures at regularly defined intervals. (Recommendation 1)

Agency: Department of Homeland Security: Cybersecurity and Infrastructure Security Agency
Status: Open

Comments: DHS concurred with this recommendation and stated that CISA's Infrastructure Security Division (ISD) will work to develop a documented process for reviewing CFATS cybersecurity guidance at regularly defined intervals. DHS stated in its comments that once the process is documented and implemented, ISD will revise or supplement existing guidance, as appropriate. We will continue to monitor DHS's actions to address the recommendation.

Recommendation: The Assistant Director of the Infrastructure Security Division should incorporate measures to assess the contribution that its cybersecurity training is making to program goals, such as inspector- or program-specific performance improvement goals. (Recommendation 2)

Agency: Department of Homeland Security: Cybersecurity and Infrastructure Security Agency
Status: Open

Comments: DHS concurred with this recommendation stated that CISA agrees that it is important to ensure training supports program goals, whether relating to inspector-specific or program-specific performance maintenance or improvement goals. Regarding inspector performance maintenance or improvement, DHS stated that, among other things, management will ensure that each inspector's individual performance plan fully captures their expected performance goals in the area of cybersecurity. We will continue to monitor DHS's actions to address this recommendation.

Recommendation: The Assistant Director of the Infrastructure Security Division should track delivery and performance data for its cybersecurity training, such as the completion of courses, webinars, and refresher trainings. (Recommendation 3)

Agency: Department of Homeland Security: Cybersecurity and Infrastructure Security Agency
Status: Open

Comments: DHS concurred with this recommendation and stated that CISA agrees that process improvements to better document and evaluate the effectiveness of the training provided to CFATS staff are worthwhile. DHS stated in its comments that CISA will establish policies and procedures intended to ensure that all cybersecurity training provided to chemical security personnel is accounted for in a centralized mechanism. We will continue to monitor DHS's actions taken to address this recommendation.

Recommendation: The Assistant Director of the Infrastructure Security Division should develop a plan to evaluate the effectiveness of its cybersecurity training, such as collecting and analyzing course evaluation forms. (Recommendation 4)

Agency: Department of Homeland Security: Cybersecurity and Infrastructure Security Agency
Status: Open

Comments: DHS concurred with this recommendation and stated that evaluating the effectiveness of training is beneficial and CISA will work to ensure that all cybersecurity courses provided to CISA chemical security staff are evaluated for effectiveness. DHS also stated that, among other things, CISA will require course evaluation forms from each attendee of any cybersecurity training provided by CISA to its chemical facility staff. We will continue to monitor DHS's actions to address this recommendation.

Recommendation: The Assistant Director of the Infrastructure Security Division should develop a workforce plan that addresses the program's cybersecurity-related needs, which should include an analysis of any gaps in the program's capacity and capability to perform its cybersecurity-related functions, and human capital strategies to address them. (Recommendation 5)

Agency: Department of Homeland Security: Cybersecurity and Infrastructure Security Agency
Status: Open

Comments: DHS concurred with this recommendation and stated that CISA will develop a concept of operations, which will include goals and requirements for a workforce review and planning effort to ensure the organization addresses the new program's capacity and capability to perform its regulatory, voluntary, and programmatic goals, to include its cybersecurity related functions. We will continue to monitor DHS's actions to address this recommendation.

Recommendation: The Assistant Director of the Infrastructure Security Division should maintain reliable, readily available information about the cyber integration levels of covered chemical facilities and inspector cybersecurity expertise. This could include updating the program's inspection database system to better track facilities' cyber integration levels. (Recommendation 6)

Agency: Department of Homeland Security: Cybersecurity and Infrastructure Security Agency
Status: Open

Comments: DHS concurred with this recommendation and stated that CISA retains information on cyber integration levels for regulated facilities but that it is not in a readily accessible format. DHS stated in its comments that ISD will execute a contract for new information technology development support for the CSAT system which, once executed, will work with the new support contractor to build a tool to automate the locating and reporting of a facility's cyber integration level data in a more accessible format. We will continue to monitor the status of DHS's actions to address this recommendation.

Recommendation: The TSA Administrator should update the BASE cybersecurity template to ensure it reflects cybersecurity key practices, including the Detect and Recover functions outlined in the NIST Cybersecurity Framework. (Recommendation 2)

Agency: Department of Homeland Security: Transportation Security Administration
Status: Open

Comments: TSA concurred with this recommendation and said it would take steps to implement it by updating the BASE Cybersecurity Security Action Item section to ensure it reflects the NIST Cybersecurity Framework Detect and Recover functions. When we confirm what actions TSA has taken in response to this recommendation, we will provide updated information.

Recommendation: The Director of NIST should establish time frames for completing NIST's initiatives, to include the information security measurement program and the cybersecurity framework starter profile, to enable the identification of sector-wide improvements from using the framework in the protection of critical infrastructure from cyber threats. (Recommendation 1)

Agency: Department of Commerce: National Institute of Standards and Technology: Office of the Director
Status: Open

Comments: In written comments provided in July 2020, the Department of Commerce (Commerce) stated that it agreed with our recommendation. It noted that to further establish its Cybersecurity Measurement program, the National Institute of Standards and Technology (NIST) will document its Cybersecurity Measurement program's scope, objectives, and approach, including an inventory of existing measurement resources. Additionally, to further amplify small business awareness of cybersecurity, and of the Cybersecurity Framework, it noted that NIST will develop and publish two Cybersecurity Framework starter profiles tailored toward risk management of business processes important to small business owners. The expected completion date is September 2020.

Recommendation: The Secretary of Agriculture, in coordination with the Secretary of Health and Human Services, should take steps to consult with respective sector partner(s), such as the SCC, DHS, and NIST, as appropriate, to collect and report sector-wide improvements from use of the framework across its critical infrastructure sector using existing initiatives. (Recommendation 2)

Agency: Department of Agriculture
Status: Open

Comments: In written comments provided in April 2020, the United States Department of Agriculture (USDA) stated that it concurred with our recommendation. The department stated that it routinely shared framework guidance provided by the Department of Homeland Security and discussed the framework as part of its monthly Sector conference calls and biannual Sector Meetings. It also added that the department will continue to strengthen its coordination efforts.

Recommendation: The Secretary of Defense should take steps to consult with respective sector partner(s), such as the SCC, DHS, and NIST, as appropriate, to collect and report sector-wide improvements from use of the framework across its critical infrastructure sector using existing initiatives. (Recommendation 3)

Agency: Department of Defense: Office of the Secretary of Defense
Status: Open

Comments: In written comments provided in July 2020, the Department of Defense concurred with our recommendation. The department noted that it had developed processes and resources to help determine the type of framework adoption across the Defense Industrial Base. These include conducting assessments on the implementation of NIST Special Publication (SP) 800-171 , "Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations;" and releasing the Defense Industrial Base Implementation Guide for the NIST Cybersecurity Framework. However, the department has yet to report on sector-wide improvements using these processes and resources. Until it does so, its critical infrastructure sector may not fully understand the value of the framework to better protect its critical infrastructure from cyber threats. The expected completion dates are in September and November 2020.

Recommendation: The Secretary of Energy should take steps to consult with respective sector partner(s), such as the SCC, DHS, and NIST, as appropriate, to collect and report sector-wide improvements from use of the framework across its critical infrastructure sector using existing initiatives. (Recommendation 4)

Agency: Department of Energy: Office of the Secretary
Status: Open

Comments: In written comments provided in February 2020, the Department of Energy (DOE) stated that it partially agreed with our recommendation. It noted that DOE will coordinate with the Energy Sector to develop an understanding of sector-wide improvements from use of the framework. The expected completion date is December 2021.

Recommendation: The Administrator of the Environmental Protection Agency should take steps to consult with respective sector partner(s), such as the SCC, DHS, and NIST, as appropriate, to collect and report sector-wide improvements from use of the framework across its critical infrastructure sector using existing initiatives. (Recommendation 5)

Agency: Environmental Protection Agency
Status: Open

Comments: In written comments provided in July 2020, the Environmental Protection Agency (EPA) stated that it agreed with our recommendation. It noted that it will consult with the Water Sector Coordinating Council, the Department of Homeland Security, and the National Institute of Standards and Technology, as appropriate, to investigate options to collect and report sector-wide improvements, consistent with statutory requirements and the Sector's willingness to participate. However, the department did not provide a timeframe for completing these actions.

Recommendation: The Administrator of the General Services Administration, in coordination with the Secretary of Homeland Security, should take steps to consult with respective sector partner(s), such as the Coordinating Council and NIST, as appropriate, to collect and report sector-wide improvements from use of the framework across its critical infrastructure sector using existing initiatives. (Recommendation 6)

Agency: General Services Administration: Office of the Administrator
Status: Open

Comments: In April 2020, the General Services Administration (GSA), in coordination with its co-SSA, the Department of Homeland Security (DHS), provided documentation demonstrating that it had initiated steps to collect and report on sector-wide improvements from use of the NIST Cybersecurity Framework across its critical infrastructure sector. Specifically, the agencies from the government sector had submitted their risk management reports to DHS and OMB that described agencies' action plans to implement the framework, as required under Executive Order 13800 and evaluated the agencies against the five functions of the NIST Cybersecurity Framework: Identify, Detect, Protect, Respond, and Recover. The risk management reports are included as part of OMB's FISMA Annual Report to Congress. According to OMB's FISMA Annual Report to Congress, OMB and DHS determined that 71 of 96 agencies (74 percent) have cybersecurity programs that are either at risk or high risk. As a result, improvements were identified in the form of four core actions in the Federal Cybersecurity Risk Determination Report and Action Plan, which include: (1) Implementing the Cyber Threat Framework to increase cybersecurity threat awareness among Federal agencies, (2) Standardize IT and cybersecurity capabilities, (3) Consolidate agency SOCs to improve incident detection and response capabilities, and (4) Drive accountability across agencies through improved governance processes, recurring risk assessments, and OMB's engagements with agency leadership. We are waiting for additional information from GSA and DHS on the status of the four core actions.

Recommendation: The Secretary of Health and Human Services, in coordination with the Secretary of Agriculture, should take steps to consult with respective sector partner(s), such as the SCC, DHS, and NIST, as appropriate, to collect and report sector-wide improvements from use of the framework across its critical infrastructure sector using existing initiatives. (Recommendation 7)

Agency: Department of Health and Human Services: Office of the Secretary
Status: Open

Comments: In written comments provided in January 2020, the Department of Health and Human Services (HHS) stated that it concurred with our recommendation. The department noted that it would work with the appropriate entities to refine and communicate best practices to the sector.

Recommendation: The Secretary of Homeland Security should take steps to consult with respective sector partner(s), such as the SCC and NIST, as appropriate, to collect and report sector-wide improvements from use of the framework across its critical infrastructure sectors using existing initiatives. (Recommendation 8)

Agency: Department of Homeland Security: Office of the Secretary
Status: Open

Comments: In written comments provided in February 2020, the Department of Homeland Security (DHS) stated that it agreed with our recommendation. It noted that in coordination with the IT Sector Coordinating Council, the department recently issued a survey to small and mid-sized IT sector partners to better understand framework adoption and use within the IT sector. Once the results of the survey are received, DHS's Cybersecurity and Infrastructure Security Agency will determine the feasibility of issuing similar surveys to other sectors, and the potential timelines for completing sector-specific survey modifications, issuing surveys, compiling responses, and developing white papers on the status of framework adoption for each sector. The department expects completion of this work by December 31, 2021.

Recommendation: The Secretary of Transportation, in coordination with the Secretary of Homeland Security, should take steps to consult with respective sector partner(s) such as the SCC and NIST, as appropriate, to collect and report sector-wide improvements from use of the framework across its critical infrastructure sector using existing initiatives. (Recommendation 9)

Agency: Department of Transportation: Office of the Secretary
Status: Open

Comments: In written comments provided in April 2020, the Department of Transportation (DOT) stated that it concurred with our recommendation. It noted that the department (through the Office of the Secretary, Office of Intelligence, Security, and Emergency Response) and the Department of Homeland Security (through the Transportation Security Administration and United States Coast Guard) will coordinate as Co-Sector-Specific Agencies for the Transportation Systems Sector to finalize the development and distribution of a survey instrument to determine the level and type of framework adoption in the Sector. The department expects completion of this work by December 31, 2021.

Recommendation: The Secretary of the Treasury should take steps to consult with respective sector partner(s), such as the SCC, DHS, and NIST, as appropriate, to collect and report sector-wide improvements from use of the framework across its critical infrastructure sector using existing initiatives. (Recommendation 10)

Agency: Department of the Treasury: Office of the Secretary
Status: Open

Comments: In written comments provided in January 2020, the Department of the Treasury (Treasury) stated that it agreed with our recommendation. The department noted that it will assess using the identified initiatives and their viability for collecting and reporting sector-wide improvements from the use of the NIST Framework. The department did not provide a timeframe for completing these actions.

Recommendation: The CISA Director should ensure that the operations plan fully addresses all lines of effort in the strategic plan for securing election infrastructure for the upcoming elections. (Recommendation 2)

Agency: Department of Homeland Security: Cybersecurity and Infrastructure Security Agency
Status: Open

Comments: The agency agreed with the recommendation and has taken steps towards implementing it. Specifically, in March 2020 CISA finalized its operations plan for the 2020 elections. CISA's operations plan addresses one of the 13 objectives and key actions from the strategic plan -- monitor threat activity. While CISA's operations plan is to supplement the agency's strategy, the plan does not fully address any of the four lines of effort and the other 12 objectives outlined in the strategic plan. When examining the key actions for the remaining 12 objectives in the strategic plan, we were only able to confirm that 10 of the 27 key actions called for in those strategic plan objectives were fully addressed. We will continue to monitor the agency's progress in implementing our recommendation.

Recommendation: The CISA Director should document how the agency intends to address challenges identified in its prior election assistance efforts and incorporate appropriate remedial actions into the agency's 2020 planning. (Recommendation 3)

Agency: Department of Homeland Security: Cybersecurity and Infrastructure Security Agency
Status: Open

Comments: The agency agreed with the recommendation and has taken steps towards implementing it. We reported in February 2020 that CISA's strategic plan had only addressed three challenges from its external lessons learned review. Subsequently, CISA addressed two additional challenges in its operations plan, which was finalized in March 2020, and its election infrastructure subsector specific plan, which was updated in March 2020. CISA's plans addressed challenges regarding the agency's role in sharing and collecting intelligence across the election community and facilitating industry-wide vulnerability disclosures. However, CISA has not documented how the agency intends to address other identified challenges and how it will incorporate remedial actions into the agency's 2020 planning. We will continue to monitor the agency's progress in implementing our recommendation.

Recommendation: The Secretary of Energy, in coordination with DHS and other relevant stakeholders, should develop a plan aimed at implementing the federal cybersecurity strategy for the electric grid and ensure that the plan addresses the key characteristics of a national strategy, including a full assessment of cybersecurity risks to the grid. (Recommendation 1)

Agency: Department of Energy
Status: Open
Priority recommendation

Comments: DOE agreed with our recommendation. In its response to our report, DOE stated that it was working through an interagency process to develop a National Cyber Strategy Implementation Plan that will consider DOE's Multiyear Plan for Energy Sector Cybersecurity. To fully address our recommendation, DOE should coordinate with DHS and other relevant stakeholders to develop a plan for implementing the federal cybersecurity strategy for the electric grid and ensure that the plan addresses the key characteristics of a national strategy.

Recommendation: FERC should consider our assessment and determine whether to direct the North American Electric Reliability Corporation (NERC) to adopt any changes to its cybersecurity standards to ensure those standards more fully address the NIST Cybersecurity framework and address current and projected risks. (Recommendation 2)

Agency: Federal Energy Regulatory Commission
Status: Open

Comments: In August 2020, FERC officials told GAO that the Commission assembled a team to conduct a technical analysis to develop a plan with appropriate next steps to address GAO's recommendations. As part of this effort, FERC issued two documents. In June 2020, FERC issued a Notice of Inquiry seeking comments on (1) whether NERC's cybersecurity standards adequately address certain NIST Cybersecurity Framework categories, and (2) whether modifications to the cybersecurity standards would be appropriate to address the potential risk of a coordinated cyberattack on geographically distributed targets. Additionally, in June 2020, FERC issued a white paper exploring a new framework for providing incentives to transmission facilities for cybersecurity investments that exceed the requirements of NERC's cybersecurity standards. The incentives are designed, in part, to incentivize cybersecurity investments by facilities that are not covered by NERC's cybersecurity standards, according to FERC officials. As of October 2020, this recommendation remains open.

Recommendation: FERC should (1) evaluate the potential risk of a coordinated cyberattack on geographically distributed targets and, (2) based on the results of that evaluation, determine whether to direct NERC to make any changes to the threshold for mandatory compliance with requirements in the full set of cybersecurity standards. (Recommendation 3)

Agency: Federal Energy Regulatory Commission
Status: Open

Comments: In August 2020, FERC officials told GAO that the Commission assembled a team to conduct a technical analysis to develop a plan with appropriate next steps to address GAO's recommendations. As part of this effort, FERC issued two documents. In June 2020, FERC issued a Notice of Inquiry seeking comments on (1) whether NERC's cybersecurity standards adequately address certain NIST Cybersecurity Framework categories, and (2) whether modifications to the cybersecurity standards would be appropriate to address the potential risk of a coordinated cyberattack on geographically distributed targets. Additionally, in June 2020, FERC issued a white paper exploring a new framework for providing incentives to transmission facilities for cybersecurity investments that exceed the requirements of NERC's cybersecurity standards. The incentives are designed, in part, to incentivize cybersecurity investments by facilities that are not covered by NERC's cybersecurity standards, according to FERC officials. As of October 2020, this recommendation remains open.

Recommendation: The TSA Administrator should periodically review, and as appropriate, update the 2010 Pipeline Security and Incident Recovery Protocol Plan to ensure the plan reflects relevant changes in pipeline security threats, technology, federal law and policy, and any other factors relevant to the security of the nation's pipeline systems. (Recommendation 5)

Agency: Department of Homeland Security: Transportation Security Administration
Status: Open

Comments: DHS concurred with this recommendation and stated that TSA will periodically review, and as appropriate, update the 2010 Pipeline Security and Incident Recovery Protocol Plan to ensure the plan reflects relevant changes in pipeline security threats, technology, federal law and policy, and any other factors relevant to the security of the nation's pipeline systems. In October 2019, TSA officials reported that they were in the process of reviewing the 2010 Pipeline Security and Incident Recovery Protocol Plan and anticipated completing the review by December 2019. However, this review was delayed and we will continue to monitor TSA's efforts to implement this recommendation.

Recommendation: The TSA Administrator should direct the Security Policy and Industry Engagement's Surface Division to clarify TSA's Pipeline Security Guidelines by defining key terms within its criteria for determining critical facilities. (Recommendation 2)

Agency: Department of Homeland Security: Transportation Security Administration
Status: Open

Comments: As of June 2020, TSA reported that it completed a review of the Pipeline Security Guideline criteria for determining critical facilities. TSA sought and received pipeline stakeholder comments following their review of the criteria. According to TSA officials, TSA is sharing draft criteria with federal stakeholders and anticipates completion of the review by December 31, 2020. We will continue to monitor the status of TSA's activities to determine whether our recommendation is fully implemented.

Recommendation: The TSA Administrator should develop a strategic workforce plan for its Security Policy and Industry Engagement's Surface Division, which could include determining the number of personnel necessary to meet the goals set for its Pipeline Security Branch, as well as the knowledge, skills, and abilities, including cybersecurity, that are needed to effectively conduct Corporate Security Reviews (CSR) and Critical Facility Security Reviews (CFSR). (Recommendation 3)

Agency: Department of Homeland Security: Transportation Security Administration
Status: Open
Priority recommendation

Comments: As of June 2020, TSA reported that officials, including TSA's Office of Human Capital Strategic Planning, began collaborating to draft a strategic workforce plan for the pipeline security section of TSA. According to the officials, while this effort was delayed as TSA's Office of Human Capital needed focus on protecting TSA's workforce in response to the COVID-19 public health emergency, progress has been made. Phase one of a four-phase process began the week of 6/8/2020, with a Manpower Study to be completed by October 2020. The second phase will be a job skills/competency analysis and the third and fourth phases are position management and classification, and plan development and approval, respectively. TSA estimated completion of the workforce plan by June 30, 2021. We will continue to monitor the status of these efforts to develop a strategic workforce plan in response to this recommendation.

Recommendation: The TSA Administrator should direct the Security Policy and Industry Engagement's Surface Division to identify or develop other data sources relevant to threat, vulnerability, and consequence consistent with the National Infrastructure Protection Plan and DHS critical infrastructure risk mitigation priorities and incorporate that data into the Pipeline Relative Risk Ranking Tool to assess relative risk of critical pipeline systems, which could include data on prior attacks, natural hazards, feedback data on pipeline system performance, physical pipeline condition, and cross-sector interdependencies. (Recommendation 6)

Agency: Department of Homeland Security: Transportation Security Administration
Status: Open

Comments: As of June 2020, TSA officials reported meeting with representatives from the Department of Homeland Security (DHS) and the Federal Emergency Management Agency (FEMA) in February and March 2019 for their input on the identification of sources relevant to threat, vulnerability, and consequence consistent with the National Infrastructure Protection Plan and DHS critical infrastructure risk mitigation priorities. TSA officials also reported meeting with RAND personnel in March 2020 to discuss possible contract options for addressing this recommendation. Further action on this recommendation has been limited due to work on the COVID-19 response. We will continue to monitor the status of TSA's activities to determine whether our recommendation is fully implemented.

Recommendation: The TSA Administrator should direct the Security Policy and Industry Engagement's Surface Division to take steps to coordinate an independent, external peer review of its Pipeline Relative Risk Ranking Tool, after the Pipeline Security Branch completes enhancements to its risk assessment approach. (Recommendation 7)

Agency: Department of Homeland Security: Transportation Security Administration
Status: Open

Comments: As of June 2020, DHS officials reported that TSA will take steps to coordinate an independent, external peer review of its Pipeline Relative Risk Ranking Tool after addressing recommendations 4,5, and 6 of this report. DHS estimated that this effort would be completed by April 30, 2021.

Recommendation: The Assistant Secretary for Countering Weapons of Mass Destruction should develop a strategy and implementation plan to help the Department of Homeland Security, among other things, guide, support, integrate and coordinate its chemical defense programs and activities; leverage resources and capabilities; and provide a roadmap for addressing any identified gaps. (Recommendation 1)

Agency: Department of Homeland Security: Countering Weapons of Mass Destruction Office
Status: Open
Priority recommendation

Comments: DHS agreed with GAO's September 2018 recommendation and is taking actions to address it. Countering Weapons of Mass Destruction Office (CWMD) officials stated in December 2018 that CWMD plans to develop a strategy and implementation plan to help DHS guide, support, integrate and coordinate its chemical defense programs and activities; leverage resources and capabilities; and provide a roadmap for addressing any identified gaps. According to CWMD officials, the implementation plan would broadly address DHS chemical defense activities and programs to prevent, protect against, and respond to chemical incidents, including support to federal, state, tribal, and territorial operators and agencies, as well as the private sector. CWMD officials provided GAO with the completed strategy in December 2019 and plan to complete the implementation plan by December 2020. The strategy includes four overarching goals that will drive CWMD's mission in protecting American safety and security from chemical threats and incidents. We will continue to monitor the status of the implementation plan, as completion of both documents is essential to help the CWMD Office guide DHS's efforts to address fragmentation and coordination issues and would be consistent with the office's aim to establish a coherent mission.

Recommendation: The Director of DHS's National Protection and Programs Directorate's Infrastructure Security Compliance Division (ISCD) should incorporate vulnerability into the CFATS site security scoring methodology to help measure the reduction in the vulnerability of high-risk facilities to a terrorist attack, and use that data in assessing the CFATS program's performance in lowering risk and enhancing national security. (Recommendation 1)

Agency: Department of Homeland Security
Status: Open

Comments: DHS concurred with this recommendation and has taken steps to implement and monitor two new performance metrics intended to better demonstrate the CFATS program's effectiveness in enhancing national security and reducing national risk. Specifically, according to DHS, these new performance metrics allow for the (1) evaluation of the progress individual facilities have made in enhancing their security while part of the CFATS program, and (2) comparison of the security measures employed by CFATS-covered chemical facilities upon first entering the program against the improved and enhanced security measures contained in their approved CFATS security plans. DHS began reporting the two measures, "Average score of approved Site Security Plans" and "Average score of initial Site Security Plans", for the first quarter of fiscal year 2019. DHS stated that these measures will be used to demonstrate the percent increase in security score of facilities' security plans, resulting in a representation of the increase in the security posture across the facility population, which will be used internally to assess progress. GAO continues to monitor the results of these two new performance metrics.

Recommendation: The Secretary of Agriculture, in cooperation with the Secretary of Health and Human Services, should take steps to consult with respective sector partner(s), such as the sector coordinating council (SCC), Department of Homeland Security (DHS) and NIST, as appropriate, to develop methods for determining the level and type of framework adoption by entities across their respective sector. (Recommendation 1)

Agency: Department of Agriculture
Status: Open
Priority recommendation

Comments: In written comments, United States Department of Agriculture (USDA) neither agreed nor disagreed with the recommendation in our report, but stated that it would attempt to develop a measurement mechanism as part of its annual data calls to the Food and Agriculture Sector. Specifically, officials stated that the diversity of the sector makes it difficult to develop a method for determining the level and type of framework adoption across the sector that would apply to all members. USDA officials added, however, that the sector coordinating council frequently invites the Department of Homeland Security to semi-annual meetings to present on both the threat to cybersecurity and resources available to support the needs of the sector. However, as of January 2020, USDA officials had yet to develop methods to determine the level and type of framework adoption. Implementing our recommendations to gain a more comprehensive understanding of the framework's use by critical infrastructure sectors is essential to the success of protection efforts.

Recommendation: The Secretary of Energy should take steps to consult with respective sector partner(s), such as the SCC, DHS and NIST, as appropriate, to develop methods for determining the level and type of framework adoption by entities across their respective sector. (Recommendation 3)

Agency: Department of Energy
Status: Open
Priority recommendation

Comments: The Department of Energy (DOE) stated that it worked with stakeholders to better align the Cybersecurity Capability Maturity Model (C2M2) with the updated NIST Cybersecurity Framework but did not provide specific information regarding the adoption or use of the framework. To fully address the recommendation, DOE should have a more comprehensive understanding of the framework's use by sector entities if DOE, along with other entities, want to ensure that its facilitation efforts are successful and determine whether organizations are realizing positive results by adopting the framework. We will continue to monitor DOE actions in response to this recommendation.

Recommendation: The Administrator of the Environmental Protection Agency should take steps to consult with respective sector partner(s), such as the SCC, DHS and NIST, as appropriate, to develop methods for determining the level and type of framework adoption by entities across their respective sector. (Recommendation 4)

Agency: Environmental Protection Agency
Status: Open
Priority recommendation

Comments: In written comments, EPA did not explicitly state whether it agreed or disagreed with our recommendation, but said that several factors constrain the agency from implementing the recommendation. EPA also said it agrees that a comprehensive assessment of framework adoption within the water sector would assist with evaluating and tailoring efforts to promote its use. Further, the agency stated that it will continue to work with the Water Sector Coordinating Council and sector partners to promote and facilitate adoption of the cybersecurity framework. The agency also suggested options related to developing cross-sector metrics and survey methods and stated that it will collect available data that may be characterized as cybersecurity framework "awareness," such as downloads of guidance materials and participation in classroom trainings and webinars. However, as of February 2020, EPA had yet to develop methods to determine the level and type of framework adoption. Officials identified steps the department is taking to facilitate framework use. Specifically, EPA officials told us that the agency will coordinate with its Sector Coordinating Council to identify appropriate means to collect and report information, including a survey, to determine the level and type of framework adoption. They explained that, in the past, the water sector expressed concerns with sharing sensitive cybersecurity information and in developing metrics to evaluate cybersecurity practices. . However, EPA officials stated that they have conducted training, webcasts, and outreach related to cybersecurity, including using the framework and tailoring its efforts to sector needs. According to EPA officials, the agency's goal in doing so was to ensure that sector organizations understood the importance of the framework. While the agency has some ongoing initiatives, implementing our recommendation to gain a more comprehensive understanding of the framework's use by its critical infrastructure sector is essential to the success of protection efforts.

Recommendation: The Secretary of Health and Human Services, in cooperation with the Secretary of Agriculture, should take steps to consult with respective sector partner(s), such as the SCC, DHS and NIST, as appropriate, to develop methods for determining the level and type of framework adoption by entities across their respective sector. (Recommendation 6)

Agency: Department of Health and Human Services
Status: Open
Priority recommendation

Comments: In written comments, the Department of Health and Human Services (HHS) concurred with the recommendation in our report and stated that it would work with appropriate entities to assist in sector adoption. HHS officials, in collaboration with NIST and a joint Cybersecurity Working Group, developed 10 best practices in May 2017 (Health Industry Cybersecurity Practices) for the Healthcare and Public Health Services sector based on the framework. These practices allowed stakeholders to identify how to use the framework with existing sector resources by raising awareness and providing vetted cybersecurity practices to enable the organizations to mitigate cybersecurity threats to the sector. In addition, officials from HHS's Assistant Secretary for Preparedness and Response (ASPR) stated that the working group discussed the challenges associated with measuring the use and impact of the NIST framework, and approved the establishment of a task group to further investigate the issue. ASPR officials added that some of the ideas discussed included the use of surveys and identification of a set of voluntary reporting indicators. In its fiscal year 2021 budget justification, HHS noted that it participated in a Health Care SCC Cybersecurity Working Group survey that was sent to group members in June 2019. However, while the survey included a question on the extent a working group member used the framework, SCC officials stated that the survey results were not statistically meaningful. While the department has ongoing initiatives, it had yet to develop methods to determine the level and type of framework adoption. Implementing our recommendations to gain a more comprehensive understanding of the framework's use by critical infrastructure sectors is essential to the success of protection efforts.

Recommendation: The Secretary of Homeland Security, in cooperation with the co-SSAs as necessary, should take steps to consult with respective sector partner(s), such as the SCC, and NIST, as appropriate, to develop methods for determining the level and type of framework adoption by entities across their respective sectors. (Recommendation 7)

Agency: Department of Homeland Security
Status: Open
Priority recommendation

Comments: In written comments, the Department of Homeland Security (DHS) concurred with the recommendation in our report and stated that its National Protection and Programs Directorate, as the sector-specific agency for 9 of the 16 critical infrastructure sectors, will continue to work closely with its private sector partners to ensure framework adoption is a priority. Additionally, the department stated that the directorate will work closely with its private sector partners to better understand the extent of framework adoption and barriers to adoption by entities across their respective sectors. As of January 2020, the department had begun taking steps to develop methods to determine the level and type of framework adoption in the respective sectors. Specifically, in October 2019, DHS, in coordination with its Information Technology (IT) sector partner, administered a survey to all small and midsized IT sector organizations to gather information on, among other things, framework use and plans to report on the results in 2020. DHS officials stated that any small or mid-sized business across all critical infrastructure sectors could complete the survey and that the department had promoted the survey to all sectors.

Recommendation: The Secretary of Transportation, in cooperation with the Secretary of Homeland Security, should take steps to consult with respective sector partner(s), such as the SCC, DHS and NIST, as appropriate, to develop methods for determining the level and type of framework adoption by entities across their respective sector. (Recommendation 8)

Agency: Department of Transportation
Status: Open
Priority recommendation

Comments: As of January 2020, the department had begun taking steps to develop methods to determine the level and type of framework adoption in the respective sectors. Specifically, officials in the Department of Transportation's (DOT) Office of Intelligence, Security, and Emergency Response, in coordination with the Department of Homeland Security (DHS), told us that they planned to develop and distribute a survey to the Transportation Systems sector to determine the level and type of framework adoption. DOT officials stated that the draft survey was undergoing DHS legal review and that the completion of the review and subsequent Office of Management and Budget review would determine when the survey is approved for distribution.

Recommendation: The Secretary of Treasury should take steps to consult with respective sector partner(s), such as the SCC, DHS and NIST, as appropriate, to develop methods for determining the level and type of framework adoption by entities across their respective sector. (Recommendation 9)

Agency: Department of the Treasury
Status: Open
Priority recommendation

Comments: The Department of the Treasury neither agreed nor disagreed with the recommendation in our report. The department stated that it will assess using the identified initiatives and their viability for collecting and reporting sector-wide improvements from use of the framework with input from the sector coordinating council (SCC) and financial regulators. However, as of January 2020, the department had yet to develop methods to determine the level and type of framework adoption. Treasury officials stated that the department, in coordination with the Financial and Banking Information Infrastructure Committee, and in consultation with NIST, developed the Cybersecurity Lexicon in March 2018. The lexicon addressed, among other things, common terminology for cyber terms used in the framework. Additionally, the Financial Services sector, in consultation with NIST, created the Financial Service Sector Cybersecurity Profile (profile) in October 2018, which mapped the framework core to existing regulations and guidance, such as the Commodity Futures Trading Commission System Safeguards Testing Requirements. Officials stated that these efforts will facilitate the use of the framework. However, while the department has ongoing initiatives, implementing our recommendations to gain a more comprehensive understanding of the framework's use by critical infrastructure sectors is essential to the success of protection efforts.

Recommendation: The Under Secretary of Defense for Intelligence, in coordination with the DOD Chief Information Officer, the Under Secretaries of Defense for Policy; Acquisition, Technology, and Logistics; and Personnel and Readiness; and with military service and agency stakeholders, should conduct operations security surveys that identify IoT security risks and protect DOD information and operations, in accordance with DOD guidance, or address operations security risks posed by IoT devices through other DOD risk assessments.

Agency: Department of Defense: Office of the Under Secretary of Defense for Intelligence
Status: Open

Comments: DOD concurred with this recommendation. We reached out to DOD in August 2018 on this recommendation and are awaiting their response.

Recommendation: The Principal Cyber Advisor, in coordination with the DOD Chief Information Officer; the Under Secretaries of Defense for Policy; Intelligence; Acquisition, Technology, and Logistics; and Personnel and Readiness; and with military service and agency stakeholders, should (1) review and assess existing departmental security policies and guidance--on cybersecurity, operations security, physical security, and information security--that may affect IoT devices; and (2) identify areas where new DOD policies and guidance may be needed--including for specific IoT devices, applications, or procedures--and where existing security policies and guidance can be updated to address IoT security concerns.

Agency: Department of Defense: Office of the Principal Cyber Advisor to the Secretary of Defense
Status: Open

Comments: DOD concurred with this recommendation. DOD has implemented one geo-location policy in 2018 relating to operations security that addresses a portion of this recommendation.

Recommendation: To enhance its ability to fulfill its role as the facilitator of cross-sector collaboration and best-practices sharing, the Secretary of Homeland Security should direct the Assistant Secretary of Infrastructure Protection, Office of Infrastructure Protection, to explore with key critical infrastructure partners, whether and what opportunities exist to harmonize federally-administered screening and credentialing access control efforts across critical infrastructure sectors.

Agency: Department of Homeland Security
Status: Open

Comments: As of 2/12/2020, awaiting additional evidence/clarification from DHS.

Recommendation: To better monitor and provide a basis for improving the effectiveness of cybersecurity risk mitigation activities, informed by the sectors' updated plans and in collaboration with sector stakeholders, the Secretary of the Treasury should direct responsible officials to develop performance metrics to provide data and determine how to overcome challenges to monitoring the financial services sector's cybersecurity progress.

Agency: Department of the Treasury
Status: Open

Comments: The Department of the Treasury, as the sector-specific agency for the financial services sector, continues to develop initiatives intended to enhance the sector's cybersecurity. In 2016, Treasury developed and promulgated a set of seven fundamental elements or critical building blocks for sector stakeholders' cybersecurity, disseminated a template for financial sector cyber exercises, and promoted the NIST Cybersecurity Framework throughout the sector. However, they have not provided evidence of metrics implemented, and the 2015 sector-specific plan does not include specific metrics to track and report on their effectiveness. We will continue to monitor Treasury's efforts to create specific metrics and related reports on the sector's cybersecurity progress.

Recommendation: To better monitor and provide a basis for improving the effectiveness of cybersecurity risk mitigation activities, informed by the sectors' updated plans and in collaboration with sector stakeholders, the Secretaries of Agriculture and Health and Human Services (as co-SSAs) should direct responsible officials to develop performance metrics to provide data and determine how to overcome challenges to monitoring the food and agriculture sector's cybersecurity progress.

Agency: Department of Agriculture
Status: Open

Comments: The Department of Agriculture (USDA), as the co-sector specific agency for the food and agriculture sector, with the Department of Health and Human Services (HHS) continues to implement cybersecurity-related activities for the sector. In particular, USDA, through the sector coordination council, routinely shares best practices and informational bulletins from the Department of Homeland Security on cybersecurity with sector stakeholders via the Homeland Security Information Network. In addition, at semi-annual council meetings, USDA has hosted roundtable discussions of cybersecurity challenges and best practices. No evidence of performance metrics to track and report on the SSAs' activities or the sector's cybersecurity progress has been provided. As USDA and HHS continue to carry out their sector-specific agency role, we will continue to monitor their efforts and associated performance metrics to be developed to demonstrate the effectiveness of these activities

Recommendation: To better monitor and provide a basis for improving the effectiveness of cybersecurity risk mitigation activities, informed by the sectors' updated plans and in collaboration with sector stakeholders, the Secretaries of Agriculture and Health and Human Services (as co-SSAs) should direct responsible officials to develop performance metrics to provide data and determine how to overcome challenges to monitoring the food and agriculture sector's cybersecurity progress.

Agency: Department of Health and Human Services
Status: Open

Comments: The Department of Health and Human Services (HHS), as the co-sector specific agency for the food and agriculture sector, with the Department of Agriculture (USDA) continues to implement cybersecurity-related activities for the sector. In particular, through the sector coordination council, they routinely share best practices and informational bulletins from the Department of Homeland Security on cybersecurity with sector stakeholders via the Homeland Security Information Network. In addition, at semi-annual council meetings, they have hosted roundtable discussions of cybersecurity challenges and best practices. No evidence of performance metrics to track and report on the SSAs' activities or the sector's cybersecurity progress has been provided. As HHS and USDA continue to carry out their sector-specific agency role, we will continue to monitor their efforts and associated performance metrics to be developed to demonstrate the effectiveness of these activities

Recommendation: To better monitor and provide a basis for improving the effectiveness of cybersecurity risk mitigation activities, informed by the sectors' updated plans and in collaboration with sector stakeholders, the Administrator of the Environmental Protection Agency should direct responsible officials to develop performance metrics to provide data and determine how to overcome challenges to monitoring the water and wastewater systems sector's cybersecurity progress.

Agency: Environmental Protection Agency
Status: Open

Comments: The Environmental Protection Agency (EPA) continues to develop and implement activities in support of the water and wastewater sector's cybersecurity such as a cyber-attack risk assessment tool and cybersecurity training for sector partners. The 2015 water and wastewater sector-specific plan calls for assessing performance and reporting on sector cybersecurity progress; however, the plan does not state specific measures. In 2017, agency officials stated that the development of performance metrics in collaboration with sector partners was underway; however, EPA has not provided evidence of the metrics or any tracking effort. As EPA continues to carry out its sector-specific agency role, we will continue to monitor its efforts and associated performance metrics to be developed to demonstrate the effectiveness of these activities.

Recommendation: To ensure that the increasing risks of GPS disruptions to the nation's critical infrastructure are effectively managed, the Secretary of Homeland Security should increase the reliability and usefulness of the GPS risk assessment by developing a plan and time frame to collect relevant threat, vulnerability, and consequence data for the various critical infrastructure sectors, and periodically review the readiness of data to conduct a more data-driven risk assessment while ensuring that DHS's assessment approach is more consistent with the National Infrastructure Protection Plan (NIPP).

Agency: Department of Homeland Security
Status: Open

Comments: DHS officials had previously indicated that DHS's Office of Infrastructure Protection (IP) and Office of Cyber and Infrastructure Analysis (OCIA) have discussed an update of the GPS risk assessment. Additionally, information from DHS shows that DHS has continued other efforts to collect potentially relevant threat, vulnerability, and consequence data for various GPS equipment in use. For example, according to DHS officials, DHS has conducted visits to major maritime, finance, wireless communications, and electricity firms to gauge their understanding of GPS vulnerabilities and of technology- and strategy-based efforts to improve GPS resilience, and DHS documentation shows that DHS has held events to test GPS receivers as part of assessing vulnerabilities. In August 2020, DHS officials provided GAO with additional information regarding their progress on implementing the recommendation. We will update the status of this recommendation after we review the additional information from DHS.