Federal agencies tasked with critical infrastructure risk management aren’t measuring improvements made by the adoption of new guidelines, according to a watchdog report.
As critical infrastructure sectors adopt federal cybersecurity guidelines, a group of federal agencies tasked with cyber risk management aren’t measuring and assessing security improvements, according to a new report from the Government Accountability Office.
A 2013 presidential directive that was enshrined into law in the 2021 defense policy bill assigns responsibility for risk management across 16 critical infrastructure sectors to nine federal agencies. According to the report, those sector risk management agencies have not fully assessed the adoption of cybersecurity standards in 13 of the 16 major critical infrastructure sectors.
From nuclear reactors and critical manufacturing, to healthcare and emergency services, the report said agencies with responsibilities across nine sectors failed to determine the extent of implementation of the National Institute for Standards and Technology’s Framework for Improving Critical Infrastructure Cybersecurity. The framework provides sectors with a comprehensive cybersecurity program, featuring core security functions and technical safeguards to mitigate vulnerabilities and protect against intrusions.
Agencies have assessed the adoption of the framework in the defense industrial base, government facilities and water and wastewater systems.
Results were mixed in other critical infrastructure areas.
In some cases, steps were taken to determine the adoption of the framework: the Department of Energy began tracking requests for sector-based cybersecurity toolkits, for example. Yet most agencies struggled to track and assess the level of implementation across sectors.
Implementation of the NIST standards is voluntary and agencies don’t have authorities to obtain information from critical infrastructure operators other than through surveys and information sharing with sector-specific industry groups.
Additionally, as was noted in the report, agency activity can be diverted by ongoing crises.
“Officials from HHS stated that other priorities, such as the COVID-19 response and managing response planning and recovery from an increase in ransomware attacks, have stretched resources thin and shifted the focus away from determining adoption of the framework,” the report states.
There have been some noted successes in the three sectors in which agencies charged with risk management measured the adoption of the NIST framework, according to the report. Officials with the Environmental Protection Agency’s Office of Groundwater and Drinking Water noted a 32% increase in framework-recommended security controls within 146 water utilities which requested voluntary technical assessments.