Several U.S. federal agencies responsible for measuring and evaluating cybersecurity standards have neglected their obligations in this area, according to a report recently released by the Government Accountability Office (GAO).
The report follows a 2013 presidential directive that was signed into law in last year’s US Defense Policy Bill, assigning responsibility for cyber risk management to nine agencies in 16 critical infrastructure sectors. These agencies include the Departments of Agriculture, Defense, Energy, Health and Human Services, Transportation, Treasury, and Homeland Security, as well as the Environmental Protection Agency and General Services Administration.
Yet, of the 16 critical infrastructure sectors that departments were supposed to assess for the adoption of cybersecurity standards, 13 turned out to consist of incomplete audits, as reported government executive.
Specifically, the GAO said the agencies had not confirmed sectors’ compliance with a frame known as the National Institute for Standards and Technology’s Framework for Improving Critical Infrastructure Cybersecurity (NIST). Agencies in nine of the sectors were found to have not taken action to determine adoption of this framework. These sectors included chemical emergency services, healthcare and public health, financial services, commercial facilities, communications, nuclear reactors, materials and waste.
The report noted the views of some agencies on why these obligations have not been met.
“Officials of [US Department of Health and Human Services] said other priorities, such as responding to COVID-19 and managing response and recovery planning after an increase in ransomware attacks, have drained resources and diverted attention from determining adoption of the framework,” the report states.
Some agencies do better than others. For example, the Department of Energy had begun tracking requests for industry-specific cybersecurity toolkits. Despite this, most agencies have failed to monitor and assess levels of implementation.
The GAO clarified that the purpose of its report was to respond to the growing threat of cyberattacks “such as the May 2021 ransomware cyberattack on a US pipeline system that led to regional gas shortages,” adding that such events represent “a significant challenge to national security”. ”.
He said NIST was launched “to better protect against cyber threats”, providing a program with basic security features and technical safeguards to manage the risk of vulnerabilities and intrusions.
Implementation of the NIST standards is voluntary, however, which the report cites as another reason why some agencies said their assessments were prioritized. Other challenges they faced include “developing accurate measures of improvement” when measuring adoption.
The report offered recommendations, including that the agencies work to “develop measures to assess the effectiveness of its efforts to promote the framework.” He said the Department of Homeland Security (DHS) agrees with the recommendation and has begun taking steps to implement it.
Commenting on steps already taken to improve the assessment rate, GAO noted that NIST launched an information security measurement program in 2020, while DHS established an information network to enable sectors to “share best practices”.
The GAO also said it has made efforts to encourage agencies to develop methods for determining the level of adoption of the framework and reporting on industry-wide improvements. However, he added, “most agencies have yet to implement these recommendations.”
“Implementation of previous GAO recommendations on adoption and framework enhancements are key factors that can lead industries to pursue additional protection against cybersecurity threats,” he said.