Critical Infrastructure Protection: Additional Actions Needed to Identify Framework Adoption and Resulting Improvements
Fast Facts
Q: How does the government help keep banks, water systems, and other critical infrastructure from getting hacked?
A: A federal agency that issues standards and procedures—NIST—has a cybersecurity framework that critical infrastructure organizations can adopt.
All 12 organizations in our review were voluntarily using the framework, and told us they’ve seen benefits. For example, one organization said that the framework allowed it to better identify and address cybersecurity risks.
However, the agencies with lead roles in protecting critical infrastructure are not collecting or reporting on improvements from using the framework as we recommended.
Lock and laptop
Highlights
What GAO Found
Most of the nine agencies with a lead role in protecting the 16 critical infrastructure sectors, as established by federal policy and referred to as sector-specific agencies (SSAs), have not developed methods to determine the level and type of adoption of the National Institute of Standards and Technology's (NIST) Framework for Improving Critical Infrastructure Cybersecurity (framework), as GAO previously recommended. Specifically, two of the nine SSAs had developed methods and two others had begun taking steps to do so. The remaining five SSAs did not yet have methods to determine framework adoption. Most of the sectors (13 of 16), however, noted that they had taken steps to encourage and facilitate use of the framework, such as developing implementation guidance that links existing sector cybersecurity tools, standards, and approaches to the framework. In addition, all of the 12 selected organizations that GAO interviewed described either fully or partially using the framework. Nevertheless, implementing GAO's recommendations to the SSAs to determine the level and type of adoption remains essential to the success of protection efforts.
The 12 selected organizations using the framework reported varying levels of resulting improvements. Such improvements included identifying risks and implementing common standards and guidelines. However, the SSAs have not collected and reported sector-wide improvements. The SSAs and organizations identified impediments to doing so, including the (1) lack of precise measurements of improvement, (2) lack of a centralized information sharing mechanism, and (3) voluntary nature of the framework. NIST and the Department of Homeland Security (DHS) have initiatives to help address these impediments.
- Precise measurements: NIST is in the process of developing an information security measurement program that aims to provide the tools and guidance to support the development of information security measures that are aligned with an individual organization's objectives. However, NIST has not established a time frame for the completion of the measurement program.
- Centralized sharing: DHS identified its homeland security information network as a tool that was intended to be the primary system that could be used by all sectors to report on best practices, including sector-wide improvements and lessons learned from using the framework.
- Voluntary nature: In April 2019, NIST issued its NIST Roadmap for Improving Critical Infrastructure Cybersecurity , version 1.1, which included a tool for organizations to self-assess how effectively they manage cybersecurity risks and identify improvement opportunities.
While these initiatives are encouraging, the SSAs have not yet reported on sector-wide improvements. Until they do so, the extent to which the 16 critical infrastructure sectors are better protecting their critical infrastructures from threats will be largely unknown.
Why GAO Did This Study
Cyber threats to the nation's critical infrastructure (e.g., financial services and energy sectors) continue to increase and represent a significant national security challenge. To better address such threats, NIST developed, as called for by federal law, a voluntary framework of cybersecurity standards and procedures.
The Cybersecurity Enhancement Act of 2014 included provisions for GAO to review aspects of the framework. The objectives of this review were to determine the extent to which (1) SSAs have developed methods to determine framework adoption and (2) implementation of the framework has led to improvements in the protection of critical infrastructure from cyber threats. GAO analyzed documentation, such as implementation guidance, plans, and survey instruments. GAO also conducted semi-structured interviews with 12 organizations, representing six infrastructure sectors, to understand the level of framework use and related improvements and challenges. GAO also interviewed agency and private sector officials.
Recommendations
GAO is making ten recommendations—one to NIST on establishing time frames for completing selected programs—and nine to the SSAs to collect and report on improvements gained from using the framework. Eight agencies agreed with the recommendations, while one neither agreed nor disagreed and one partially agreed. GAO continues to believe that all ten recommendations are warranted.
Recommendations for Executive Action
Agency Affected | Recommendation | Status |
---|---|---|
Office of the Director | The Director of NIST should establish time frames for completing NIST's initiatives, to include the information security measurement program and the cybersecurity framework starter profile, to enable the identification of sector-wide improvements from using the framework in the protection of critical infrastructure from cyber threats. (Recommendation 1) |
NIST established time frames and completed initiatives that may help sector risk management agencies (SRMAs) address some of the challenges in measuring improvements from sector entities' use of the framework. Specifically, NIST launched its Measurements for Information Security program and associated website in September 2020. The website included links to tools, guidance, and other resources for organizations to better manage cybersecurity risk. With the establishment of this program and website, NIST can help address the challenge of developing precise measurements of improvement and measuring the direct impact of using the framework. In addition, NIST worked with the National Cybersecurity Alliance to publish five small business cybersecurity case studies. According to NIST officials, small businesses wanted examples of the framework applied to case studies in lieu of creating starter profiles that NIST was previously considering. The case studies include actions that are aligned to the framework, lessons learned, and resources that small businesses could use to handle common cybersecurity issues and realize improvements from use of the framework. Issues that the case studies address include automated teller machine skimming, keylogging, malware, and bank fraud; encryption and business security standards; social engineering and phishing; and data breaches. The case studies help address the challenge that SRMAs identified regarding the lack of use cases. By implementing our recommendation and completing these important initiatives, NIST's efforts help SRMAs address challenges in identifying sector-wide improvements from using the framework.
|
Department of Agriculture | The Secretary of Agriculture, in coordination with the Secretary of Health and Human Services, should take steps to consult with respective sector partner(s), such as the SCC, DHS, and NIST, as appropriate, to collect and report sector-wide improvements from use of the framework across its critical infrastructure sector using existing initiatives. (Recommendation 2) |
USDA concurred with our recommendation and has taken steps towards implementing it. For example, USDA, in partnership with the Department of Health and Human Services has distributed multiple requests for information to sector members that include questions regarding framework adoption and improvements. In addition, USDA requested feedback from sector partners and made subsequent changes to its data calls. Despite these efforts, as of February 2024 USDA has not yet collected information regarding sector improvements resulting from use of the NIST cybersecurity framework. To fully implement this recommendation, USDA needs to collect and report on sector-wide improvements resulting from use of the framework. Until the department does so, it will not fully understand the value of the framework and approaches that could be prioritized in helping protect the food and agriculture sector from cyber threats. We will continue to monitor the agency's progress in implementing our recommendation.
|
Office of the Secretary of Defense | The Secretary of Defense should take steps to consult with respective sector partner(s), such as the SCC, DHS, and NIST, as appropriate, to collect and report sector-wide improvements from use of the framework across its critical infrastructure sector using existing initiatives. (Recommendation 3) |
The Department of Defense (DOD) concurred with our recommendation and has taken actions to implement it. In December 2023, DOD demonstrated that its Office of the Chief Information Officer measured improvements among sector entities in adopting cybersecurity practices associated with the DOD Cyber Crime Center's cyber resilience analysis. In addition, in February 2024 DOD demonstrated that it had mapped cybersecurity practices in its cyber resilience analysis with practices from NIST Special Publication 800-171 and the NIST cybersecurity framework. According to DOD, sector entities who conducted multiple cyber resilience analyses resulted in an average improvement rate of 42 percent in the associated cybersecurity practices. By collecting and reporting sector improvements from the use of the NIST cybersecurity framework, DOD will be able to fully understand the value of the framework and approaches that could be prioritized in helping protect the defense industrial base sector from cyber threats.
|
Office of the Secretary of the Department of Energy | The Secretary of Energy should take steps to consult with respective sector partner(s), such as the SCC, DHS, and NIST, as appropriate, to collect and report sector-wide improvements from use of the framework across its critical infrastructure sector using existing initiatives. (Recommendation 4) |
The Department of Energy (DOE) partially concurred with our recommendation and stated that it will coordinate with the energy sector to develop an understanding of sector-wide improvements from use of the NIST cybersecurity framework. In August 2023, DOE, in coordination with a third-party contractor, identified strengths and weaknesses in the energy sector's implementation of the NIST cybersecurity framework based on its analysis of sector entity self-assessments. As a result of these efforts, DOE identified next steps for helping the energy sector improve its cybersecurity and resilience posture. While DOE has taken action to assess the sector's implementation of the NIST cybersecurity framework, as of February 2024 the department has not yet collected and reported on sector-wide improvements resulting from use of the framework. Until DOE implements this recommendation, it may not fully understand the value of the framework and approaches that should be prioritized in helping protect the energy from cyber threats. We will continue to monitor the agency's progress in implementing our recommendation.
|
Environmental Protection Agency | The Administrator of the Environmental Protection Agency should take steps to consult with respective sector partner(s), such as the SCC, DHS, and NIST, as appropriate, to collect and report sector-wide improvements from use of the framework across its critical infrastructure sector using existing initiatives. (Recommendation 5) |
EPA identified improvements to the water and wastewater sector through its technical assistance and assessments. Specifically, EPA launched a voluntary Technical Assistance Provider Initiative to provide cybersecurity assistance and create cybersecurity action plans for sector members. As part of the initiative, EPA's Office of Groundwater and Drinking Water developed metrics based on the framework, which it used to identify improvements resulting, in part, from use of the framework. As of October 2021, 146 utilities had completed both an initial assessment and two follow-up assessments. The data on improvements and progress made included growth that the entities have collectively made in each of the five functional areas of the NIST framework, as well as more specific cybersecurity activities, such as developing a list of cybersecurity best practices and conducting cybersecurity training. For example, during the initial assessment, entities reported implementing 38 percent of the activities that covered the five functional areas of the framework. After two follow-up assessments, the entities reported that they increased their implementation to 50 percent of the framework's cybersecurity activities. This represented an approximately 32 percent increase in the number of protections against cyber risks, and an overall improvement in the sector entities' cybersecurity from use of the framework. By implementing our recommendation, EPA has a better understanding of the value of the framework in protecting the water and wastewater sector from cyber threats.
|
GSA Office of the Administrator | The Administrator of the General Services Administration, in coordination with the Secretary of Homeland Security, should take steps to consult with respective sector partner(s), such as the Coordinating Council and NIST, as appropriate, to collect and report sector-wide improvements from use of the framework across its critical infrastructure sector using existing initiatives. (Recommendation 6) |
GSA, in coordination with its co-sector risk management agency, the Department of Homeland Security's (DHS) Federal Protective Service, identified improvements to the government facilities sector from the sector's use of the framework. Through Executive Order 13800, federal agencies that make up the government facilities sector were directed to provide a risk management report to the Office of Management and Budget (OMB) and DHS, where agencies were assessed against the five functional areas of the framework. After receiving risk management reports from sector organizations, OMB identified four areas where agencies needed to improve their cybersecurity programs in its May 2018 Federal Cybersecurity Risk Determination Report and Action Plan. The four areas of improvement included cybersecurity threat awareness; information technology and cybersecurity standardization; security operations center consolidation; and agency accountability. GSA, working with DHS and OMB, identified that agencies in the government facilities sector had taken several steps that resulted in improvements in these four areas. For example, to address the cybersecurity threat awareness improvement area, officials from the GSA, DHS, and OMB stated that the Office of the Director of National Intelligence published the Cyber Threat Framework to increase cybersecurity threat awareness. Additionally, to address the information technology and cybersecurity standardization improvement area, DHS's Continuous Diagnostics and Mitigation program helped achieve information technology and cybersecurity standardization by providing tools and services that collect and display standardized information to improve cybersecurity posture. Further, to address the security operations center consolidation area of improvement, DHS's Cybersecurity and Infrastructure Security Agency delivered core capability standards that are used to group services for future consolidation of security operation centers. By implementing our recommendation, GSA and DHS have a better understanding of the value of the framework in protecting the government facilities sector from cyber threats.
|
Office of the Secretary for HHS | The Secretary of Health and Human Services, in coordination with the Secretary of Agriculture, should take steps to consult with respective sector partner(s), such as the SCC, DHS, and NIST, as appropriate, to collect and report sector-wide improvements from use of the framework across its critical infrastructure sector using existing initiatives. (Recommendation 7) |
The Department of Health and Human Services (HHS) concurred with our recommendation and has taken actions towards implementing it. In April 2023, HHS released the Hospital Cyber Resiliency Initiative: Landscape Analysis, which identified the extent that hospitals participating in the study reported adoption of the NIST cybersecurity framework. However, as of February 2024 HHS has not yet collected and reported on sector-wide improvements from the use of the framework. Until HHS implements this recommendation, it may not fully understand the value of the framework and approaches that could be prioritized in helping protect the healthcare and public health sector from cyber threats. In addition, HHS coordinated with the Department of Agriculture in taking initial steps to determine framework adoption across the food and agricultural sector by distributing two requests for information to food and agriculture sector members. However, those efforts did not generate enough responses to be useful. For instance, the Department of Agriculture did not receive any responses from private sector members regarding plans to implement, adopt, and measure improvements resulting from use of the framework. The Department of Agriculture stated that it has collaborated with HHS and the DHS to determine if there are alternative methods for collecting and assessing more substantive information. As of February 2024, HHS and the other agencies have not yet identified alternative approaches or completed or other actions for collecting and reporting on sector-wide improvements in the food and agriculture sector. We will continue to monitor the agency's progress in implementing our recommendation.
|
Office of the Secretary for DHS | The Secretary of Homeland Security should take steps to consult with respective sector partner(s), such as the SCC and NIST, as appropriate, to collect and report sector-wide improvements from use of the framework across its critical infrastructure sectors using existing initiatives. (Recommendation 8) |
DHS concurred with and has taken steps to implement our recommendation. Specifically, the department developed cross-sector cybersecurity performance goals that outline high-priority, baseline measures that businesses and critical infrastructure owners of all sizes can take to protect themselves from cyber threats. Each goal aligns with a corresponding practice in the NIST cybersecurity framework. Thus, the cross-sector performance goals can provide a basis for DHS and other sector risk management agencies to better understand and evaluate the extent to which individual sectors have realized improvements from the framework. DHS tracked cybersecurity improvements that organizations enrolled in the Cybersecurity and Infrastructure Security Agency's vulnerability scanning service made based on their adoption of cross-sector cybersecurity performance goals. For instance, DHS identified a decline in the average known exploited vulnerabilities on organizations' networks between April 2022 and June 2023. DHS demonstrated that the improvements it has collected and reported on apply to sectors in which DHS is a sector risk management agency or co-sector risk management agency. By taking these steps, CISA has a more comprehensive understanding of the framework's use by its respective sectors to help DHS fully understand the value of the framework and approaches that could be prioritized in helping protect sectors from cyber threats.
|
Office of the Secretary for DOT | The Secretary of Transportation, in coordination with the Secretary of Homeland Security, should take steps to consult with respective sector partner(s) such as the SCC and NIST, as appropriate, to collect and report sector-wide improvements from use of the framework across its critical infrastructure sector using existing initiatives. (Recommendation 9) |
The Department of Transportation (DOT) agreed with this recommendation and has taken actions to implement it. DOT, in coordination with its co-sector risk management agency the Department of Homeland Security (DHS), developed and analyzed the results of a survey to determine the transportation systems sector's adoption and use of the NIST cybersecurity framework. Among other things, the agencies found that sector entities who converted to using the NIST framework after becoming aware of it did so because of the value those organizations believed the framework added. DOT and DHS measured the value that the framework provided to organizations by asking how it helped them understand or manage cybersecurity risk, manage and prioritize cybersecurity requirements or activities, determine areas for improvement, and reduce risk. In addition, DHS identified a decline in the average known exploited vulnerabilities among organizations in the transportation systems sector between April 2022 and June 2023 based on the use of practices that correspond with the NIST cybersecurity framework. By collecting and reporting sector improvements from the use of the NIST cybersecurity framework, DOT and its co-sector partner DHS will be able to better understand the value of the framework and approaches that could be prioritized in helping protect the transportation systems sector from cyber threats.
|
Office of the Secretary for Treasury | The Secretary of the Treasury should take steps to consult with respective sector partner(s), such as the SCC, DHS, and NIST, as appropriate, to collect and report sector-wide improvements from use of the framework across its critical infrastructure sector using existing initiatives. (Recommendation 10) |
Treasury neither agreed nor disagreed with this recommendation, stating that it does not have the authority to compel financial institutions to respond to inquiries regarding the sector's use of the framework or resulting improvements.In January 2023, Treasury identified plans to collaborate with the financial services sector to develop metrics on sector risk mitigation efforts and methods to determine framework adoption. However, as of February 2024 Treasury has not yet completed these efforts or provided a time frame for doing so. To implement our recommendation, Treasury needs to demonstrate that it has collected and reported on sector-wide improvements in the financial services sector resulting from its use of the NIST cybersecurity framework. Implementing our recommendation to gain a more comprehensive understanding of the framework's use will help Treasury fully understand the value of the framework and approaches that could be prioritized in helping protect the financial services sector from cyber threats. We will continue to monitor the agency's progress in implementing our recommendation.
|