GAO Snaps at Critical Infrastructure Protection Ambiguity

Critical infrastructure protection is so vital to the United States’ national and economic security, as well as public health and safety, that disruption or destruction of any of the 16 critical sectors would have a debilitating effect on the nation.

The National Institute of Standards and Technology’s (NIST) “Framework for Improving Critical Infrastructure Cybersecurity,” is designed to give organizations in those 16 sectors guidance on how to implement effective measures to protect their assets, systems, and networks from cyber threats. Some of the critical infrastructure sectors include the chemical, communications, defense industrial base, emergency services, energy, financial, food and agriculture, health, nuclear reactors and material waste, transportation, water and waste-water sectors.

The problem is, implementation of the framework is voluntary, and the nine Federal agencies overseeing each of their respective critical infrastructure sectors have no clear idea of how many companies or organizations are actually implementing the “Framework for Improving Critical Infrastructure Cybersecurity,” according to a new Government Accountability Office (GAO) report.

Without an accurate assessment of framework adoption within each sector, the Federal government lacks a comprehensive understanding of the current adoption level within critical infrastructure sectors, the GAO states.

Until the government agencies overseeing the critical infrastructure protection “have a more comprehensive understanding of the use of the cybersecurity framework by entities within the critical infrastructure sectors, they will be limited in their ability to understand the success of protection efforts, or to determine where to focus limited resources for cyber risk mitigation,” the GAO report states.

The agencies, known as sector-specific agencies, responsible for assuring that critical infrastructure organizations are implementing cyber protection guidance include: The Departments of Agriculture (USDA), Defense, Energy, Health and Human Services, Homeland Security, Transportation, and Treasury; The Environmental Protection Agency; and General Services Administration.

Federal officials from the agencies, NIST, and the sector coordinating councils identified four challenges that might be hampering cybersecurity framework adoption.

Specifically, some entities:

  • May be limited in their ability to commit necessary resources towards framework adoption
  • May not have the necessary knowledge and skills to effectively implement the framework
  • May face regulatory, industry, and other requirements that inhibit adopting the framework
  • May face other priorities that take precedence over conducting cyber-related risk management or adopting the framework

In addition to these challenges, the voluntary nature of the framework adoption, in turn, impacts whether a sector-specific agency has mechanisms in place to determine if it is being adopted.

For example, according to the GAO report, “Department of Energy officials stated that, since the framework is a voluntary tool, they had not taken any formal action to solicit or survey the status of implementation amongst energy sector entities. They further indicated that they did not have any plans to develop such measurements.”

Although sector agencies have not comprehensively measured the adoption of the framework, other organizations in academia and consulting have attempted to gather information about the framework’s implementation, with varying results.

GAO recommended that the sector agencies, in cooperation with the Secretary of their respective agencies, consult with respective sector partners, as appropriate, to develop methods for determining the level and type of framework adoption by entities across their respective sector.

Five agencies agreed with the GAO recommendations and four neither agreed nor disagreed with the recommendations. USDA officials neither agreed nor disagreed with the recommendation, but stated that the department will attempt to develop a measurement mechanism as part of its annual data calls to the food and agriculture sector. The USDA is committed to providing its sector members with guidance on framework adoption in 2018, officials said.

One Comment
  1. Anonymous | - Reply
    Wow..clear as mud. The problem is, implementation of the framework is voluntary, and the nine Federal agencies overseeing each of their respective critical infrastructure sectors have no clear idea of how many companies or organizations are actually implementing the “Framework for Improving Critical Infrastructure Cybersecurity,” according to a new Government Accountability Office (GAO) report." What do companies have to do with this? It should be wither the CIO/CSO know if their organization is actually implementing.

Leave a Reply

Recent