Cyber threats to the nation’s critical infrastructure, including financial services, transportation and energy sectors, continue to increase and represent a significant national security challenge. To better address such threats, the National Institute of Standards and Technology (NIST) developed the Framework for Improving Critical Infrastructure Cybersecurity, as called for by federal law.
A new Government Accountability Office (GAO) review of 12 organizations found that all were voluntarily using the framework, and reported seeing benefits. Such improvements included identifying risks and implementing common standards and guidelines.
However, GAO found that agencies with lead roles in protecting critical infrastructure are not collecting or reporting on improvements from using the framework.
GAO’s February 25 report stated that most of the nine agencies with a lead role in protecting the 16 critical infrastructure sectors, as established by federal policy and referred to as sector-specific agencies (SSAs), have not developed methods to determine the level and type of adoption of the NIST framework, as GAO had previously recommended.
Two of the nine SSAs have developed methods and two others have begun taking steps to do so. The remaining five SSAs did not yet have methods to determine framework adoption. Most of the sectors (13 of 16), however, noted that they had taken steps to encourage and facilitate use of the framework, such as developing implementation guidance that links existing sector cybersecurity tools, standards, and approaches to the framework. In addition, all of the 12 selected organizations that GAO interviewed described either fully or partially using the framework.
In addition, the SSAs have not collected and reported sector-wide improvements. The SSAs and organizations identified impediments to doing so, including the lack of precise measurements of improvement, lack of a centralized information sharing mechanism, and the voluntary nature of the framework.
NIST and the Department of Homeland Security (DHS) have initiatives to help address these impediments. First, NIST is in the process of developing an information security measurement program that aims to provide the tools and guidance to support the development of information security measures that are aligned with an individual organization’s objectives.
Meanwhile, DHS has identified its homeland security information network as a tool intended to be the primary system that could be used by all sectors to report on best practices, including sector-wide improvements and lessons learned from using the framework.
To address the potential pitfalls arising from the voluntary nature of assessment, NIST issued its Roadmap for Improving Critical Infrastructure Cybersecurity, which includes a tool for organizations to self-assess how effectively they manage cybersecurity risks and identify improvement opportunities.
Some SSAs have taken additional steps to determine the level and type of framework adoption in their sector. In October 2019, DHS, in coordination with its information technology (IT) sector partner, administered a survey to all small and midsized IT sector organizations to gather information on, among other things, framework use and plans to report on the results in 2020.
Further, officials in the Department of Transportation’s (DOT) Office of Intelligence, Security, and Emergency Response, in coordination with its co-SSA (DHS), told the GAO review that it plans to develop and distribute a survey to the transportation systems sector to determine the level and type of framework adoption. DOT officials stated that the draft survey was undergoing DHS legal review and that the completion of the review would determine when the survey is approved for distribution.
Private sector framework adoption is voluntary and, therefore, there are no specific reporting requirements to provide information on improvements. For example, DOT officials stated that, while the department and its co-SSA (DHS) intended to develop the survey to determine sector-wide improvements, consolidating voluntarily shared information will not reflect the depth and breadth of sector stakeholders, as organizations that share information will not collectively represent a sector.
As a result of the review, GAO recommends that NIST should establish time frames for completing its initiatives, to include the information security measurement program and the cybersecurity framework starter profile, to enable the identification of sector-wide improvements from using the framework in the protection of critical infrastructure from cyber threats.
GAO also made a recommendation to 10 agencies that they should consult with respective sector partners to collect and report sector-wide improvements from use of the framework across its critical infrastructure sector using existing initiatives.
The agencies and departments were Agriculture, Commerce, Defense, Energy, Health and Human Services, Homeland Security, Transportation, Treasury, Environmental Protection, and General Services. The majority of agencies, including DHS and DOT agreed with the recommendations.