A GAO report has found that additional actions are needed to establish cybersecurity framework adoption across agencies.
GAO found that most of the 16 critical infrastructure sectors took action to facilitate adoption of the National Institute of Standards and Technology’s (NIST) Framework for Improving Critical Infrastructure Cybersecurity by entities within their sectors. Federal policy dictates that nine sector-specific agencies, in conjunction with DHS, should review the cybersecurity framework.
DHS found four challenges to cybersecurity framework adoption, which include not being able to commit necessary resources, a lack of knowledge and skills, regulatory requirements and other priorities taking precedence.
All sectors should also measure the effectiveness of risk management goals by identifying high-level outcomes and progress made toward national priorities, including securing critical infrastructure against cyber threats, but GAO found that none of the coordinating councils reported having qualitative or quantitative measures of framework adoption.
GAO concluded that SSAs will be limited in their understanding of the success of cybersecurity measures, or where to focus resources, until they understand how entities within critical infrastructure sectors are using the framework. It recommends that all nine SSAs, which includes the Department of Defense, the GSA and DHS, should consult with sector partners to determine the level of framework adoption within their agencies.
