Recommendation: The Secretary of State should ensure that the Deputy Assistant Secretary for Defense Trade Controls, in consultation with university representatives, provides additional or revises existing guidance and outreach to address university-specific export control issues to further support universities' understanding and compliance with the International Traffic in Arms Regulations. (Recommendation 1)

Agency: Department of State
Status: Open

Comments: The Department of State concurred with the recommendation. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Commerce should ensure that the Under Secretary for Industry and Security, in consultation with university representatives, provides additional or revises existing guidance and outreach to address university-specific export control issues to further support universities' understanding and compliance with the Export Administration Regulations. (Recommendation 2)

Agency: Department of Commerce
Status: Open

Comments: The Department of Commerce concurred with the recommendation. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of State should ensure that the Deputy Assistant Secretary for Defense Trade Controls revises existing export compliance guidelines to include information concerning periodic risk assessments to remind exporters that it is beneficial to periodically identify, analyze, and respond to new risks as part of an effective International Traffic in Arms Regulations compliance program. (Recommendation 3)

Agency: Department of State
Status: Open

Comments: The Department of State concurred with the recommendation. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Defense should ensure that the Under Secretary of Defense for Research and Engineering takes steps to ensure that its program officers and contracting officers are interpreting export controls consistent with regulations and guidance and consistently determining whether university research constitutes fundamental research. (Recommendation 4)

Agency: Department of Defense
Status: Open

Comments: The Department of Defense concurred with the recommendation. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Director of NIST should establish time frames for completing NIST's initiatives, to include the information security measurement program and the cybersecurity framework starter profile, to enable the identification of sector-wide improvements from using the framework in the protection of critical infrastructure from cyber threats. (Recommendation 1)

Agency: Department of Commerce: National Institute of Standards and Technology: Office of the Director
Status: Open

Comments: In written comments provided in July 2020, the Department of Commerce (Commerce) stated that it agreed with our recommendation. It noted that to further establish its Cybersecurity Measurement program, the National Institute of Standards and Technology (NIST) will document its Cybersecurity Measurement program's scope, objectives, and approach, including an inventory of existing measurement resources. Additionally, to further amplify small business awareness of cybersecurity, and of the Cybersecurity Framework, it noted that NIST will develop and publish two Cybersecurity Framework starter profiles tailored toward risk management of business processes important to small business owners. The expected completion date is September 2020.

Recommendation: The Secretary of Agriculture, in coordination with the Secretary of Health and Human Services, should take steps to consult with respective sector partner(s), such as the SCC, DHS, and NIST, as appropriate, to collect and report sector-wide improvements from use of the framework across its critical infrastructure sector using existing initiatives. (Recommendation 2)

Agency: Department of Agriculture
Status: Open

Comments: In written comments provided in April 2020, the United States Department of Agriculture (USDA) stated that it concurred with our recommendation. The department stated that it routinely shared framework guidance provided by the Department of Homeland Security and discussed the framework as part of its monthly Sector conference calls and biannual Sector Meetings. It also added that the department will continue to strengthen its coordination efforts.

Recommendation: The Secretary of Defense should take steps to consult with respective sector partner(s), such as the SCC, DHS, and NIST, as appropriate, to collect and report sector-wide improvements from use of the framework across its critical infrastructure sector using existing initiatives. (Recommendation 3)

Agency: Department of Defense: Office of the Secretary of Defense
Status: Open

Comments: In written comments provided in July 2020, the Department of Defense concurred with our recommendation. The department noted that it had developed processes and resources to help determine the type of framework adoption across the Defense Industrial Base. These include conducting assessments on the implementation of NIST Special Publication (SP) 800-171 , "Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations;" and releasing the Defense Industrial Base Implementation Guide for the NIST Cybersecurity Framework. However, the department has yet to report on sector-wide improvements using these processes and resources. Until it does so, its critical infrastructure sector may not fully understand the value of the framework to better protect its critical infrastructure from cyber threats. The expected completion dates are in September and November 2020.

Recommendation: The Secretary of Energy should take steps to consult with respective sector partner(s), such as the SCC, DHS, and NIST, as appropriate, to collect and report sector-wide improvements from use of the framework across its critical infrastructure sector using existing initiatives. (Recommendation 4)

Agency: Department of Energy: Office of the Secretary
Status: Open

Comments: In written comments provided in February 2020, the Department of Energy (DOE) stated that it partially agreed with our recommendation. It noted that DOE will coordinate with the Energy Sector to develop an understanding of sector-wide improvements from use of the framework. The expected completion date is December 2021.

Recommendation: The Administrator of the Environmental Protection Agency should take steps to consult with respective sector partner(s), such as the SCC, DHS, and NIST, as appropriate, to collect and report sector-wide improvements from use of the framework across its critical infrastructure sector using existing initiatives. (Recommendation 5)

Agency: Environmental Protection Agency
Status: Open

Comments: In written comments provided in July 2020, the Environmental Protection Agency (EPA) stated that it agreed with our recommendation. It noted that it will consult with the Water Sector Coordinating Council, the Department of Homeland Security, and the National Institute of Standards and Technology, as appropriate, to investigate options to collect and report sector-wide improvements, consistent with statutory requirements and the Sector's willingness to participate. However, the department did not provide a timeframe for completing these actions.

Recommendation: The Administrator of the General Services Administration, in coordination with the Secretary of Homeland Security, should take steps to consult with respective sector partner(s), such as the Coordinating Council and NIST, as appropriate, to collect and report sector-wide improvements from use of the framework across its critical infrastructure sector using existing initiatives. (Recommendation 6)

Agency: General Services Administration: Office of the Administrator
Status: Open

Comments: In April 2020, the General Services Administration (GSA), in coordination with its co-SSA, the Department of Homeland Security (DHS), provided documentation demonstrating that it had initiated steps to collect and report on sector-wide improvements from use of the NIST Cybersecurity Framework across its critical infrastructure sector. Specifically, the agencies from the government sector had submitted their risk management reports to DHS and OMB that described agencies' action plans to implement the framework, as required under Executive Order 13800 and evaluated the agencies against the five functions of the NIST Cybersecurity Framework: Identify, Detect, Protect, Respond, and Recover. The risk management reports are included as part of OMB's FISMA Annual Report to Congress. According to OMB's FISMA Annual Report to Congress, OMB and DHS determined that 71 of 96 agencies (74 percent) have cybersecurity programs that are either at risk or high risk. As a result, improvements were identified in the form of four core actions in the Federal Cybersecurity Risk Determination Report and Action Plan, which include: (1) Implementing the Cyber Threat Framework to increase cybersecurity threat awareness among Federal agencies, (2) Standardize IT and cybersecurity capabilities, (3) Consolidate agency SOCs to improve incident detection and response capabilities, and (4) Drive accountability across agencies through improved governance processes, recurring risk assessments, and OMB's engagements with agency leadership. We are waiting for additional information from GSA and DHS on the status of the four core actions.

Recommendation: The Secretary of Health and Human Services, in coordination with the Secretary of Agriculture, should take steps to consult with respective sector partner(s), such as the SCC, DHS, and NIST, as appropriate, to collect and report sector-wide improvements from use of the framework across its critical infrastructure sector using existing initiatives. (Recommendation 7)

Agency: Department of Health and Human Services: Office of the Secretary
Status: Open

Comments: In written comments provided in January 2020, the Department of Health and Human Services (HHS) stated that it concurred with our recommendation. The department noted that it would work with the appropriate entities to refine and communicate best practices to the sector.

Recommendation: The Secretary of Homeland Security should take steps to consult with respective sector partner(s), such as the SCC and NIST, as appropriate, to collect and report sector-wide improvements from use of the framework across its critical infrastructure sectors using existing initiatives. (Recommendation 8)

Agency: Department of Homeland Security: Office of the Secretary
Status: Open

Comments: In written comments provided in February 2020, the Department of Homeland Security (DHS) stated that it agreed with our recommendation. It noted that in coordination with the IT Sector Coordinating Council, the department recently issued a survey to small and mid-sized IT sector partners to better understand framework adoption and use within the IT sector. Once the results of the survey are received, DHS's Cybersecurity and Infrastructure Security Agency will determine the feasibility of issuing similar surveys to other sectors, and the potential timelines for completing sector-specific survey modifications, issuing surveys, compiling responses, and developing white papers on the status of framework adoption for each sector. The department expects completion of this work by December 31, 2021.

Recommendation: The Secretary of Transportation, in coordination with the Secretary of Homeland Security, should take steps to consult with respective sector partner(s) such as the SCC and NIST, as appropriate, to collect and report sector-wide improvements from use of the framework across its critical infrastructure sector using existing initiatives. (Recommendation 9)

Agency: Department of Transportation: Office of the Secretary
Status: Open

Comments: In written comments provided in April 2020, the Department of Transportation (DOT) stated that it concurred with our recommendation. It noted that the department (through the Office of the Secretary, Office of Intelligence, Security, and Emergency Response) and the Department of Homeland Security (through the Transportation Security Administration and United States Coast Guard) will coordinate as Co-Sector-Specific Agencies for the Transportation Systems Sector to finalize the development and distribution of a survey instrument to determine the level and type of framework adoption in the Sector. The department expects completion of this work by December 31, 2021.

Recommendation: The Secretary of the Treasury should take steps to consult with respective sector partner(s), such as the SCC, DHS, and NIST, as appropriate, to collect and report sector-wide improvements from use of the framework across its critical infrastructure sector using existing initiatives. (Recommendation 10)

Agency: Department of the Treasury: Office of the Secretary
Status: Open

Comments: In written comments provided in January 2020, the Department of the Treasury (Treasury) stated that it agreed with our recommendation. The department noted that it will assess using the identified initiatives and their viability for collecting and reporting sector-wide improvements from the use of the NIST Framework. The department did not provide a timeframe for completing these actions.

Recommendation: The Commissioner of CBP should take steps to evaluate the effectiveness of CBP's IPR enforcement efforts, such as by improving its metrics to track the overall effectiveness of its IPR enforcement efforts, evaluating selected activities to enhance IPR enforcement, and developing a process to assess and share information on port-led initiatives to enhance IPR enforcement (Recommendation 1)

Agency: Department of Homeland Security: United States Customs and Border Protection
Status: Open

Comments: CBP concurred with this recommendation. In September 2018, CBP stated that it had established an IPR working group that meets every 4-6 weeks to implement its Fiscal Year 2018 IPR Strategic Plan and develop priorities and metrics. CBP stated that, in these meetings, headquarters and field personnel share information on the results and effectiveness of local and national port initiatives and develop policies for improving IPR enforcement. Additionally, CBP provided evidence that it has begun efforts to improve its tracking of metrics and evaluation of selected activities to enhance IPR enforcement. For example, CBP provided data for 5 of the 16 measurement indicators included in its IPR Strategic Plan. Additionally, the IPR Strategic Plan includes at least 5 action items to assess or evaluate aspects of CBP's IPR enforcement. As of February 2020, CBP officials indicated they are continuing to work on these efforts. We will continue to monitor their implementation.

Recommendation: The Commissioner of CBP, in consultation with ICE, should assess what, if any, additional information would be beneficial to share with the private sector and, as appropriate, take action to enhance information sharing, where possible, such as by proposing regulatory revisions or requesting additional legal authorities from Congress. (Recommendation 2)

Agency: Department of Homeland Security: United States Customs and Border Protection
Status: Open

Comments: CBP concurred with this recommendation. CBP stated that, in May 2018, it briefed the Senate Finance Committee on six policy goals to improve IPR, import safety, and e-commerce enforcement that require additional legislative authority to implement. In December 2018, CBP stated that it had identified the need to establish an information sharing structure for e-commerce as a first step in implementing its E-Commerce Strategy. CBP officials stated that they would work with offices throughout CBP and with key stakeholders in the trade community and the Commercial Customs Advisory Committee (COAC) to build an information sharing structure and identify the necessary statutory and regulatory changes to implement it. CBP said that, when statutory changes have been identified, it will work through the interagency process to make any necessary Congressional recommendations. In January 2020, the Department of Homeland Security published a report that identified actions to combat trafficking of counterfeit and pirated goods in conjunction with the private sector. These actions included steps to share additional information with the private sector. For example, the report said that when CBP identifies suspected counterfeit merchandise that is destined for a U.S. fulfillment center or warehouse, it will notify the e-commerce platform or other third-party intermediary operating the facility. This will allow the operator of the fulfillment center or warehouse to remove or destroy any identical items from the same seller in coordination with rights holders. The report also recommends the formation of the Anti-Counterfeiting Consortium to Identify Online Nefarious Actors and a framework for sharing information with sellers, shippers, and other third-party intermediaries. If implemented, these steps could help to enhance information sharing with the private sector. GAO continues to monitor the implementation of these actions.