Critical Infrastructure Protection: Sector-Specific Agencies Need to Better Measure Cybersecurity Progress

U. S. critical infrastructures, such as financial institutions, commercial buildings, and energy production and transmission facilities, are systems and assets, whether physical or virtual, vital to the nation’s security, economy, and public health and safety. To secure these systems and assets, federal policy and the National Infrastructure Protection Plan (NIPP) establish responsibilities for federal agencies designated as sector-specific agencies (SSA), including leading, facilitating, or supporting the security and resilience programs and associated activities of their designated critical infrastructure sectors. The Government Accoutability Office's (GAO’s) objectives were to determine the extent to which SSAs have (1) identified the significance of cyber risks to their respective sectors’ networks and industrial control systems, (2) taken actions to mitigate cyber risks within their respective sectors, (3) collaborated across sectors to improve cybersecurity, and (4) established performance metrics to monitor improvements in their respective sectors. To conduct the review, GAO analyzed policy, plans, and other documentation and interviewed public and private sector officials for 8 of 9 SSAs with responsibility for 15 of 16 sectors. GAO recommends that certain SSAs collaborate with sector partners to develop performance metrics and determine how to overcome challenges to reporting the results of their cyber risk mitigation activities. Four of these agencies concurred with GAO’s recommendation, while two agencies did not comment on the recommendations.

• Record URL:
  http://www.gao.gov/assets/680/673779.pdf
• 
• Summary URL:
  http://www.gao.gov/assets/680/673780.pdf
• Corporate Authors:

  U.S. Government Accountability Office

  441 G Street, NW
  Washington, DC  United States  20548
• Authors:
  • Wilshusen, Gregory C
• Publication Date: 2015-11

Language

• English

Media Info

• Media Type: Digital/other
• Features: Appendices; Figures; References; Tables;
• Pagination: 82p

Subject/Index Terms

• TRT Terms: Computer security; Cooperation; Federal government agencies; Infrastructure; National security; Performance measurement; Recommendations; Risk assessment
• Identifier Terms: National Infrastructure Protection Plan
• Geographic Terms: United States
• Subject Areas: Administration and Management; Security and Emergencies; Transportation (General); I10: Economics and Administration;

Filing Info

• Accession Number: 01581083
• Record Type: Publication
• Report/Paper Numbers: GAO-16-79
• Files: TRIS
• Created Date: Nov 23 2015 11:05AM