Several Federal agencies that have been tasked with promoting the adoption of cybersecurity standards by private-sector critical infrastructure providers are coming up short in their efforts to evaluate whether private providers are getting that work done.
That’s the top-line finding from a new Government Accountability Office report issued Feb. 9.
The report tracks the degree to which Federal agencies designated as “sector risk management agencies” (SMRAs) to cover 16 U.S. critical infrastructure providers have followed through on seeing how those sectors are progressing in adopting voluntary cybersecurity standards created by the National Institute of Standards and Technology (NIST) for critical infrastructure providers in 2014.
By the Numbers
GAO said that of the 16 total critical infrastructure sectors that are divided up among nine Federal agencies that serve in the SMRA role:
- Only the SRMAs for three of the 16 sectors have “determined the extent of their sector’s adoption” of the NIST cyber framework. In those cases, the SRMAs “took actions such as developing sector surveys and conducting technical assessments mapped to framework elements,” GAO said. Those three sectors are: defense industrial base; government facilities; and water and wastewater.
- SRMAs for four of the 16 sectors have taken “initial steps” to determine adoption with the NIST framework. Those four sectors are: energy; food and agriculture; information technology; and transportation systems.
- SMRAs for nine of the 16 sectors “have not taken steps to determine framework adoption,” GAO said. Those nine sectors are: chemical; commercial facilities; communications; critical manufacturing; dams; emergency services; financial services; healthcare and public health; and nuclear reactors, materials, and waste.
GAO explained in the new report why the work of the SMRAs is important.
“Regarding improvements resulting from sector-wide use, five of the 16 critical infrastructure sectors’ SRMAs have identified or taken steps to identify sector-wide improvements from framework use, as GAO previously recommended,” the watchdog agency said.
“In addition, SRMAs for the government facilities sector identified improvements in cybersecurity performance metrics and information standardization resulting from Federal agencies’ use of the framework,” GAO said.
SRMAs for the remaining 11 sectors didn’t identify improvements, and were not able to describe potential successes from their sectors’ use of the framework.
Lagging on Recommendations
GAO explained that in prior reports issued in 2017 and 2019, the agency had “recommended that the nine SRMAs (1) develop methods for determining the level and type of framework adoption by entities across their respective sectors and (2) collect and report sector-wide improvements.”
“Most agencies have not yet implemented these recommendations,” GAO said in its latest report.
Agencies Cite Difficulties
For their part, SMSAs told GAO about a range of challenges they face in determining NIST cyber framework adoption and identifying sector-wide improvements.
“For example, they noted limitations in knowledge and skills to implement the framework, the voluntary nature of the framework, other priorities that may take precedence over framework adoption, and the difficulty of developing precise measurements of improvement were challenges to measuring adoption and improvements,” GAO recounted.
“To help address challenges, NIST launched an information security measurement program in September 2020 and the Department of Homeland Security has an information network that enables sectors to share best practices,” GAO said, adding “implementing GAO’s prior recommendations on framework adoption and improvements are key factors that can lead to sectors pursuing further protection against cybersecurity threats.”
The nine Federal agencies that act as SMRAs are: the departments of Agriculture, Defense, Energy, Health and Human Services, Homeland Security, Transportation, and Treasury, along with the Environmental Protection Agency, and the General Services Administration.