GAO recommends additional actions to determine federal cybersecurity framework adoption

After assessing the extent to which critical infrastructure sectors have adopted the federal Framework for Improving Infrastructure Cybersecurity standards, the Government Accountability Office (GAO) has since made nine recommendations for improvement.

The framework in question was developed in 2014 and represented a voluntary approach to instituting cybersecurity standards and procedures. At that time, GAO was also authorized to review progress, and in this case, they interviewed relevant officials and looked to documentation to make their assessment. What they determined is that further action is decidedly necessary, despite most of the 16 critical infrastructure sectors having already taken action to adopt the National Institute of Standards and Technology’s (NIST) framework.

Complicating matters are that some of these sectors may be limited in their ability to commit resources to the framework’s adoption, may not have the knowledge or skills necessary, are hamstrung by regulatory, industry and other requirements, and may face other priorities that take greater precedence. Further, while federal and nonfederal sector partners have to measure the effectiveness of risk management goals, none of the SSAs or coordinating councils actually measures the framework’s implementation or reported collecting information from anyone about critical infrastructure protection activities.

SSA officials said the voluntary nature of the framework impedes such efforts. The GAO said this will limit efforts to understand the success of their protective efforts or figuring where to focus limited resources for further protection.

As such, GAO made nine recommendations, targeting different sectors. For the Department of Agriculture, they called for a cooperative effort with the Secretary of Health and Human Services to consult sector partners to develop methods for determining the level and type of framework therein. Similar recommendations were made for the Department of Defense, the Department of Energy, the Environmental Protection Agency, the General Services Administration, the Department of Health and Human Services, the Department of Homeland Security, the Department of Transportation, and the Treasury Department.