Increasing cyber threats, like the May 2021 ransomware cyberattack on an American oil pipeline system that led to regional gas shortages, represent a significant national security challenge.
Writing for Homeland Security Today earlier this month, FBI Supervisory Special Agent Ted P. Delacourt said “fewer strategies than cyber attacks can offer better plausible deniability and can cause greater anxiety and instability to our society than targeting the systems and networks that enable our day-to-day activities”.
Delacourt explained how an attack on one critical infrastructure sector may initiate a failure in another or cascade to the entire interconnected network. Further, “the mix of public, private, and non-governmental operations across each critical infrastructure sector complicates remediation of identified vulnerabilities and information sharing on actual or potential attacks.”
To help protect U.S. critical infrastructure from cyber attacks, the National Institute of Standards and Technology (NIST) developed cybersecurity standards and procedures that organizations within these sectors may voluntarily use.
Federal agencies with a lead role to assist and protect one or more of the nation’s 16 critical infrastructures are referred to as sector risk management agencies (SRMAs). A review by the Government Accountability Office (GAO) found that the SRMAs for three of the 16 critical infrastructures have determined the extent of their sector’s adoption of the NIST Framework for Improving Critical Infrastructure Cybersecurity. These lead agencies took actions such as developing sector surveys and conducting technical assessments mapped to framework elements. SRMAs for four further sectors have taken initial steps to determine adoption but, GAO found that lead agencies for nine sectors have not taken steps to determine framework adoption.
In February 2020, GAO reported that DOD, in collaboration with the defense industrial base sector, had developed a process, through its cyber incident reporting scorecard, to monitor the level or extent to which contracts (not including commercial off-the-shelf contracts) were or were not adhering to the cybersecurity requirements in DOD acquisition regulations. By doing so, DOD was able to determine the level at which the sector organizations are implementing the framework and the type of framework adoption through mapping to the functional areas. As of June 2020, DOD determined that approximately 95 percent of contracts (not including commercial off-the-shelf contracts) included a clause from DOD regulation that required implementation of security requirements from NIST.
The Department of Transportation (DOT) and the Department of Homeland Security (DHS) conducted a survey and expect to complete their analysis by the end of March 2022. In addition to questions regarding adoption, the survey also asked questions regarding whether the framework provided value to the sector organization in five categories: (1) determining areas for improvement and developing plans to achieve improvements, (2) managing or fulfilling cybersecurity requirements, (3) understanding or managing cybersecurity risk, (4) reducing risk, and (5) prioritizing the relative importance of cybersecurity requirements or activities. An open-ended question was also included in the survey for entities to provide additional information about improvements from their use of the framework.
Five of the 16 critical infrastructure sectors’ SRMAs have identified or taken steps to identify sector-wide improvements from framework use, as GAO previously recommended. For example, the Environmental Protection Agency identified an approximately 32 percent overall increase in the use of framework-recommended cybersecurity controls among the 146 water utilities that requested and received voluntary technical assessments. In addition, SRMAs for the government facilities sector identified improvements in cybersecurity performance metrics and information standardization resulting from federal agencies’ use of the framework.
GAO found that DHS’s Continuous Diagnostics and Mitigation program helped address information technology and cybersecurity standardization by providing tools and services that collect and display standardized information to improve cybersecurity posture. Elsewhere within DHS, the Cybersecurity and Infrastructure Security Agency delivered core capability standards that are used to group services for future consolidation of security operation centers.
However, GAO’s review found that SRMAs for 11 sectors did not themselves identify improvements and were not able to describe potential successes from their sectors’ use of the framework.
SRMAs told GAO of various challenges to determining NIST framework adoption and identifying sector-wide improvements. For example, they noted limitations in knowledge and skills to implement the framework, the voluntary nature of the framework, other priorities that may take precedence over framework adoption, and the difficulty of developing precise measurements of improvement were challenges to measuring adoption and improvements. To help address these and other challenges, NIST launched an information security measurement program in September 2020 and the Department of Homeland Security has an information network that enables sectors to share best practices.
In prior reports, GAO has recommended that some SRMAs develop methods for determining the level and type of framework adoption by entities across their respective sectors and collect and report sector-wide improvements. But the watchdog says most agencies have not yet implemented these recommendations and renewed its calls for them to do so.