Agencies need to better track adoption of cyber framework in critical infrastructure, GAO says
Despite federal efforts to help critical infrastructure sectors protect their networks by adopting a key cybersecurity framework, a lack of insight into their progress and other obstacles remain, a new Government Accountability Office report says.
The report examines federal agency engagement toward 16 critical infrastructure sectors as they adopt the National Institute of Standards and Technology’s Framework for Improving Critical Infrastructure Cybersecurity, a risk-based strategy for cyberdefense. By executive order, federal agencies are required to implement the framework, but it’s voluntary for private sector companies.
The report found that while 12 sectors have developed implementation guidance for how to adopt the framework, three others were still deliberating on what guidance to apply, and another planned to not develop any guidance at all.
Nine sector-specific agencies (SSAs) — including the departments of Homeland Security, Defense, Agriculture, Energy, Health and Human Services and others — coordinate with sector coordinating councils (SCCs) made up of representatives from each sector to provide outreach methods and help develop guidance on how their companies can implement the NIST framework.
Despite DHS’s Critical Infrastructure Cyber Community Voluntary Program and other SSAs providing programs to industry to assist the sectors, the report identified four challenges that inhibit them from adopting the NIST framework: limited resources, a lack of the knowledge necessary for adoption, inhibiting regulations or requirements, and other priorities that take precedent over framework adoption.
GAO officials also said that because adoption of the framework is voluntary for private sector entities, neither the sector-specific agencies or the sector coordinating councils have maintained reporting systems to track the progress of those who do decide to implement the framework.
The report also found that while agencies within the government facilities sector — overseen by DHS and the General Services Administration — were required to implement the framework, GSA officials said it was up to each agency to determine its method of adoption.
“Without an accurate assessment of framework adoption within each sector, federal entities, SSAs and SCCs lack a comprehensive understanding of the current adoption level within critical infrastructure sectors,” the report said. “As such, SSAs are unable to tailor their guidance to effectively encourage the use of the framework to sector stakeholders.”
GAO offered nine recommendations directing the SSAs to develop “methods for determining the level and type of framework adoption by entities across their respective sector.”
Five agencies concurred with the report’s recommendations, while the departments of Agriculture, Energy and Treasury, as well as the Environmental Protection Agency, did not agree or disagree with the recommendations, but said they would continue efforts to promote and facilitate framework adoption.