Though most U.S. critical infrastructure sectors have taken actions to adopt the National Institute of Standards and Technology’s (NIST) Framework for Improving Critical Infrastructure Cybersecurity, sector-specific agencies responsible for developing guidance failed to develop adequate measures for framework adoption within their cluster, a Feb. 15, 2018, Government Accountability Office report found.

“None of the SSAs had measured the cybersecurity framework’s implementation by entities within their respective sectors. None of the 16 coordinating councils reported having qualitative or quantitative measures of framework adoption because they generally do not collect specific information from entities about critical infrastructure protection activities. SSA officials also stated that the voluntary nature and other factors are impediments to collecting such information,” the report said.

“Until SSAs have a more comprehensive understanding of the use of the cybersecurity framework by entities within the critical infrastructure sectors, they will be limited in their ability to understand the success of protection efforts or to determine where to focus limited resources for cyber risk mitigation.”

After calls from both federal law and policy, NIST developed its cyber framework in 2014. The Cybersecurity Enhancement Act of 2014 provided provisions for GAO to review the implementation of that framework in critical infrastructure sectors, such as energy, financial services and healthcare.

The report also found that officials from the Department of Homeland Security, NIST, SSAs and the sector coordinating councils identified four challenges to cybersecurity framework adoption:

  • Limited resources;
  • Lacking knowledge and skills for framework adoption;
  • Regulatory, industry and other requirements that inhibit adopting the framework; and
  • Other priorities taking precedence over framework adoption.

GAO made recommendations to nine sector-specific agencies, calling for each to “develop methods for determining the level and type of framework adoption by entities across their respective sector.”

Five agencies agreed with the recommendations while four neither agreed nor disagreed, with many of the four stating that they did not have the authority to compel critical infrastructure entities to share cyber framework adoption data.