The Government Accountability Office has found that most organizations voluntarily agreed to adopt the National Institute of Standards and Technology's cybersecurity framework but their overseeing agencies are yet to develop ways to ensure NIST compliance.
GAO said in its report published Tuesday that it studied 12 organizations that reported voluntary compliance with NIST’s Framework for Improving Critical Infrastructure Cybersecurity. The watchdog noted that five of the nine agencies with oversight of 16 critical infrastructure sectors are yet to establish methods for determining organizations’ adoption of the cybersecurity framework.
According to GAO, the 12 organizations reported progress such as risk identification and standardized guidelines upon implementation of the NIST framework.
The overseeing entities, known as sector-specific agencies, reported that they were unable to provide information on the improvements due to the framework’s voluntary nature as well as a lack of metrics and a centralized information-sharing procedure.
GAO said that until the SSAs establish a method for reporting sector-wide improvements, the “extent to which the 16 critical infrastructure sectors are better protecting their critical infrastructures from threats will be largely unknown.”