Feds Prompted to Aid Private-Sector CybersecuritySifting Through Guidance for America's Critical IT Infrastructure
The U.S. Department of Homeland Security can do more to help operators of the America's critical infrastructure identify the guidance needed to secure their cyber-reliant systems, the Government Accountability Office said in a new report. And, DHS concurs that's something it will do.
GAO, the investigative arm of Congress, said most sector-specific critical infrastructure protection plans fail to identify key guidance and standards for cybersecurity. "Given the plethora of guidance available, individual entities within the sectors may be challenged in identifying the guidance that is most applicable and effective in improving their security posture," Gregory Wilshusen, GAO director of information security issues, wrote in the report. "Improved knowledge of the guidance that is available could help both federal and private-sector decision makers better coordinate their efforts to protect critical cyber-reliant assets."
Promoting cybersecurity-related standards and guidance to boost the security of the nation's cyber-reliant critical infrastructure is federal policy, one in which a DHS director said the department endorses.
DHS on the Job
Homeland Security has begun to work with the Critical Infrastructure Partnership Advisory Council, a public-private forum, and sector coordinating councils to determine which guidance it should provide. "DHS will work with its public and private-sector partners ... to determine whether it is appropriate to have cybersecurity guidance drafted for each sector," Jim Crumpacker, director of DHS's GAO-OIG liaison office, said in a written response to the GAO recommendations.
Most critical infrastructure operators follow IT security guidance that's tailored to their respective industries and unique business needs. Regulated business are subject to mandatory standards; non-regulated business can voluntarily adopt standards and guidance. Sector coordinating council representatives contacted by GAO said lists of cybersecurity guidance used within their respective sectors should be augmented by additional standards and guidance.
GAO said DHS and the other sector-specific agencies such as the Treasury Department for banking and finance, Health and Human Services Department for healthcare and Energy Department for electrical generation and oil and gas distribution have not identified the key cybersecurity guidance applicable to or widely used in each of their respective sectors. Most of the sector-specific critical infrastructure protection plans reviewed by GAO do not identify key guidance and standards for cybersecurity because doing so was not specifically suggested by DHS guidance.
(Story continues after table.)
Wilshusen pointed out that cybersecurity guidance that GAO compared within the banking and finance, energy and nuclear sectors is substantially similar to guidance provided to federal agencies. Specifically, he said, documents supplementing the guidance addressed most risk management steps and recommended security controls that are specified for federal information systems in guidance from the National Institute of Standards and Technology.