In a report released Feb. 25, the Government Accountability Office (GAO) said that “most” of nine agencies tasked with protecting the 16 critical infrastructure sectors “have not developed methods to determine the level and type of adoption of the National Institute of Standards and Technology’s (NIST) Framework for Improving Critical Infrastructure Cybersecurity.”
The nine sector-specific agencies (SSAs) identified by GAO are the Departments of Agriculture, Defense, Energy, Homeland Security, Transportation, Treasury, and Health and Human Services, the General Services Administration, and the Environmental Protection Agency. Of those agencies, two have developed methods to determine their level of adoption and another two have begun taking steps to do so. However, the five remaining agencies haven’t developed methods to determine their framework adoption.
As for the 16 critical infrastructure sectors, 13 said they have taken steps to “encourage and facilitate use of the framework.” GAO interviewed 12 of the 16 sectors and found that all 12 are either fully or partially using NIST’s framework.
While that is positive news, GAO noted that there is still room for improvement. “The 12 selected organizations using the framework reported varying levels of resulting improvements,” the report noted. “Such improvements included identifying risks and implementing common standards and guidelines. However, the SSAs have not collected and reported sector-wide improvements.” SSAs and critical infrastructure sectors identified impediments to doing so, including the lack of precise measurements of improvement, lack of a centralized information-sharing mechanism, and voluntary nature of the framework.”
In the report, GAO offered the SSA and NIST recommendations:
- The Director of NIST should establish time frames for completing NIST’s initiatives, including the information security measurement program and the cybersecurity framework starter profile, to enable the identification of sector-wide improvements from using the framework in the protection of critical infrastructure from cyber threats.
- The Secretary of Agriculture, in coordination with the Secretary of Health and Human Services, should take steps to consult with respective sector partner(s)…to collect and report sector-wide improvements from use of the framework across its critical infrastructure sector using existing initiatives.
- The Secretaries of Defense, Energy, Homeland Security, Treasury, and Transportation, as well as the Administrators of the Environmental Protection Agency and the General Services Administration, should take steps to consult with respective sector partner(s)…to collect and report sector-wide improvements from use of the framework across its critical infrastructure sector using existing initiatives.