GAO assesses progress in adopting cybersecurity framework

Federal agencies tasked with protecting the nation’s critical infrastructures are making progress in overseeing the adoption of a cybersecurity framework in some sectors, but there is still a long way to go, the U.S. Government Accountability Office said in a report released Wednesday.

In 2014, the National Institute of Standards and Technology issued a cybersecurity framework that included industry standards and best practices to help organizations manage cybersecurity risks.

Lead federal agencies — including those overseeing water and wastewater, government facilities and the defense industrial base — took actions such as developing sector surveys and conducting technical assessments mapped to framework elements, the GAO report said.

The Environmental Protection Agency, for example, identified about a 32% overall increase in the use of the NIST framework-recommended cybersecurity controls among the 146 water utilities that requested and received voluntary technical assessments, the report said.

But some agencies have not taken steps to determine the extent to which the infrastructure sectors they oversee have adopted the NIST framework. According to the report, these include agencies overseeing the following sectors: chemical, commercial facilities, communication, critical manufacturing, dams, emergency services, financial services, health care and public health, nuclear reactors, materials and waste.

The report said agencies reported various challenges to determining framework adoption and identifying sector-wide improvements, including limitations in knowledge and skills to implement the framework; the voluntary nature of the framework; other priorities that may take precedence over framework adoption; and the difficulty of developing precise measurements of improvement.

This website states: The content on this site is sourced from the internet. If there is any infringement, please contact us and we will handle it promptly.