Critical Infrastructure Protection: Agencies Need to Assess Adoption of Cybersecurity Guidance

The nation’s 16 critical infrastructure sectors provide essential services such as banking, electricity, and gas and oil distribution. However, increasing cyber threats—like the May 2021 ransomware cyberattack on an American oil pipeline system that led to regional gas shortages—represent a significant national security challenge. To better protect against cyber threats, National Institute of Standards and Technology (NIST) facilitated, as required by federal law, the development of a voluntary framework of cybersecurity standards and procedures for sectors to use. The Cybersecurity Enhancement Act of 2014 included provisions for the U.S. Government Accountability Office (GAO) to review aspects of the framework. GAO’s report addresses the extent to which sector risk management agencies (SRMAs) have (1) determined framework adoption by entities within their respective sectors and (2) identified improvements resulting from sector-wide use. GAO analyzed documentation, such as requests for information, polls, and survey instruments. It also conducted interviews with agency officials from each SRMA and NIST. In prior reports, GAO recommended that the nine SRMAs (1) develop methods for determining the level and type of framework adoption by entities across their respective sectors and (2) collect and report sector-wide improvements. Most agencies have not yet implemented these recommendations.

Language

  • English

Media Info

  • Media Type: Digital/other
  • Features: Appendices; Figures; References; Tables;
  • Pagination: 49p

Subject/Index Terms

Filing Info

  • Accession Number: 01838021
  • Record Type: Publication
  • Report/Paper Numbers: GAO-22-105103
  • Files: TRIS
  • Created Date: Feb 28 2022 5:05PM