Report Finds Most Agencies Not Developing Cybersecurity Recommendations
Thursday, February 27, 2020 | Comments

A Government Accountability Office (GAO) report said most agencies with a lead role in protecting the 16 critical infrastructure sectors have not developed methods to determine the level and type of adoption of the National Institute of Standards and Technology's (NIST) Framework for Improving Critical Infrastructure Cybersecurity, as previously recommended.

Specifically, two of the nine sector-specific agencies (SSAs) developed methods and two others had begun taking steps to do so. The remaining five SSAs did not yet have methods to determine framework adoption. Most of the sectors — 13 of 16 — however, noted that they had taken steps to encourage and facilitate use of the framework, such as developing implementation guidance that links existing sector cybersecurity tools, standards and approaches to the framework.

In addition, all of the 12 selected organizations that GAO interviewed described either fully or partially using the framework. Nevertheless, implementing GAO's recommendations to the SSAs to determine the level and type of adoption remains essential to the success of protection efforts.

The sectors included in the study are chemical; commercial facilities; communications; critical manufacturing; dams; emergency services; energy; transportation systems; water and wastewater systems; nuclear reactors, materials and waste; defense industrial base; financial services; food and agriculture; government facilities; heathcare and public health; and IT.

The 12 selected organizations using the framework reported varying levels of resulting improvements. Such improvements included identifying risks and implementing common standards and guidelines. However, the SSAs have not collected and reported sectorwide improvements. The SSAs and organizations identified impediments to doing so, including the lack of precise measurements of improvement, lack of a centralized information sharing mechanism and voluntary nature of the framework.

NIST and the Department of Homeland Security (DHS) have initiatives to help address these impediments. NIST is in the process of developing an information security measurement program that aims to provide the tools and guidance to support the development of information security measures that are aligned with an individual organization's objectives. However, NIST has not established a time frame for the completion of the measurement program.

DHS identified its homeland security information network as a tool that was intended to be the primary system that could be used by all sectors to report on best practices, including sectorwide improvements and lessons learned from using the framework. In April 2019, NIST issued its NIST Roadmap for Improving Critical Infrastructure Cybersecurity, version 1.1, which included a tool for organizations to self-assess how effectively they manage cybersecurity risks and identify improvement opportunities.

While these initiatives are encouraging, the SSAs have not yet reported on sectorwide improvements. Until they do so, the extent to which the 16 critical infrastructure sectors are better protecting their critical infrastructures from threats will be largely unknown.

GAO made 10 recommendations — one to NIST on establishing time frames for completing selected programs — and nine to the SSAs to collect and report on improvements gained from using the framework. Eight agencies agreed with the recommendations, while one neither agreed nor disagreed and one partially agreed. GAO continues to believe that all 10 recommendations are warranted.

More information and the report is here.

Would you like to comment on this story? Find our comments system below.

Post a comment
Name: *
Email: *
Title: *
Comment: *


No Comments Submitted Yet

Be the first by using the form above to submit a comment!

Magazines in Print

June 2020

13 - 18
NENA Conference and Expo
Long Beach, California

24 - 25
Comms Connect

August 2020

2 - 5
APCO Conference and Expo

11 - 13
ENTELEC Conference and Expo

More Events >

Site Navigation