Home  /  Empower and Protect  /  New GAO Report Questions Adoption and Effectiveness of NIST CSF across Critical Infrastructure

New GAO Report Questions Adoption and Effectiveness of NIST CSF across Critical Infrastructure

By Rick Tracy •  March 18, 2020

A recent GAO report titled, Critical Infrastructure Protection – Additional Actions Needed to Identify Framework Adoption and Resulting Improvements, indicates there is not enough information about the level or effectiveness of NIST Cybersecurity Framework (CSF) adoption across the 16 critical infrastructure sectors:

1. Chemical Sector

2. Commercial Facilities Sector

3. Communications Sector

4. Critical Manufacturing Sector

5. Dams Sector

6. Defense Industrial Base Sector

7. Emergency Services Sector

8. Energy Sector

9. Financial Services Sector

10. Food and Agriculture Sector

11. Government Facilities Sector

12. Healthcare and Public Health Sector

13. Information Technology Sector

14. Nuclear Reactors, Materials, and Waste Sector

15. Transportation Systems Sector

16. Water and Wastewater Systems Sector

According to the report, there are three impediments that prevent GAO from understanding sector-wide cyber risk improvements resulting from CSF adoption:

  1. Lack of precise measurements of improvement,
  2. Lack of a centralized information sharing mechanism, and
  3. Voluntary nature of the framework.

Items 1 and 2 suggest that methods to measure improvement and share such results in a standardized way are needed in order to draw any real conclusions regarding benefit.  The report indicates that NIST and DHS are working to resolve these two issues.  However, to me, the more interesting point is item 3 – the voluntary nature of the CSF.

Is Voluntary the Right Approach?

Since it was first introduced in Feb 2014, in response to Executive Order (EO) 13636: Improving Critical Infrastructure Cybersecurity, the NIST CSF has been a voluntary framework.  During its development, NIST implemented a very progressive crowd-sourcing approach toward the development of the CSF.  They held a number of working groups over the course of 12 months in collaboration with industry in hopes that there would be a feeling of ownership among industry, and that ownership would encourage voluntary adoption.

But the question has remained: will critical infrastructure organizations voluntarily implement the CSF, or will adoption require some pressure… in the form of mandates?

Based on the findings of the GAO report, it seems like the simple question of whether critical infrastructure organizations have adopted the CSF is not adequate.  This should not be a yes or no question, because the CSF offers a great deal of flexibility, so much so that it’s possible for an organization to partially implement the CSF in ways that offer little to no risk reduction benefit.  Therefore, in addition to whether the CSF has been implemented, it is important to understand how it has been implemented to determine if it is being used in a way that offers benefit and helps achieve the desired effect, i.e., reduced cyber risk.  As the GAO report indicates, understanding CSF adoption and level of adoption across each critical infrastructure sector is important.

According to the GAO report, many Sector Specific Agencies (SSAs) have encouraged their respective sectors to adopt the CSF, and many organizations have reported full or partial adoption. On the surface, this sounds encouraging.  There has been adoption, perhaps significant adoption, without mandates.  However, what does adoption really mean? Are these organizations adopting their SSAs’ implementation guidance for their particular sector, or are they taking too much advantage of the CSF’s flexibility?

To be clear:  I’ve often stated – and still believe – that the flexibility of the CSF is one of its greatest benefits, enabling organizations to leverage it as best suits their needs. But too much variation can reduce its effectiveness.  If organizations will not voluntarily adopt the CSF and implement it in the specific ways defined by the SSAs, then it might be necessary to apply more pressure.

It could be helpful to operationalize these sector-specific CSF implementations using software to make it easier for organizations to implement based on defined templates and profiles.  A centralized software approach would make it easier for SSAs to understand status and risk posture across each sector.  It would make future reports to GAO much simpler and more complete.

According to the GAO, approximately 85% of critical infrastructure is owned by the private sector.  Effective cyber risk management practices across all critical infrastructure sectors is essential for national security.  Therefore, it is essential for critical infrastructure organizations to take all appropriate steps to manage their cyber risks.  Voluntarily adopting the CSF in a meaningful way, as defined by the SSAs, is a good first step.

Rick Tracy

Rick Tracy

Rick Tracy is the senior vice president and chief security officer at Telos Corporation. Follow him on Twitter: @rick_tracy See full bio...

The Empower and Protect Blog brings you cybersecurity and information technology insights from top industry experts at Telos.

Leave a Reply

Your email address will not be published.

7 + 19 =