The Government Accountability Office (GAO) recently published a report reviewing collaboration in critical infrastructure cybersecurity. Critical infrastructure includes financial institutions and energy production, and is vital to U.S. national security, as well as the nation’s economy and public health and safety. These systems are secured by sector-specific agencies (SSAs) following federal policies and the National Infrastructure Protection Plan.
GAO analyzed policy, plans, and other documentation and interviewed public and private sector officials from SSAs when conducting their review. Among GAO’s objectives were to determine the extent to which the SSAs have:
- identified the significance of cyber risks to their respective sectors’ networks and industrial control systems;
- taken actions to mitigate cyber risks within their respective sectors;
- collaborated across sectors to improve cybersecurity; and
- established performance metrics to monitor improvements in their respective sectors.
GAO found that there were significant cyber risks to over two thirds of the sectors, with the remaining sectors’ risks undetermined by the SSAs. GAO also found that SSAs generally took actions to mitigate cyber risks and vulnerabilities for their respective sectors. The SSAs also used multiple public-private and cross-sector collaboration mechanisms to facilitate the sharing of cybersecurity-related information, including the councils of federal and non-federal stakeholders. While many SSAs had not developed metrics to measure and report on their cyber risk mitigation activities, GAO noted that the Departments of Defense, Energy, and Health and Human Services had established performance metrics for their sectors.
GAO recommends that certain SSAs collaborate with sector partners to develop performance metrics and determine how to overcome challenges to reporting the results of their cyber risk mitigation activities. Four of these agencies concurred with GAO’s recommendation, while two agencies did not comment on the recommendations.
For more information on GAO-16-79, please follow the link below.
GAO-16-79, Critical Infrastructure Protection: Sector-Specific Agencies Need to Better Measure Cybersecurity Progress