Critical Infrastructure Protection: Additional Actions Needed to Identify Framework Adoption and Resulting Improvements


Cyber threats to the nation’s critical infrastructure (e.g., financial services and energy sectors) continue to increase and represent a significant national security challenge. To better address such threats, NIST developed, as called for by federal law, a voluntary framework of cybersecurity standards and procedures.

The Cybersecurity Enhancement Act of 2014 included provisions for GAO to review aspects of the framework. The objectives of this review were to determine the extent to which (1) SSAs have developed methods to determine framework adoption and (2) implementation of the framework has led to improvements in the protection of critical infrastructure from cyber threats. GAO analyzed documentation, such as implementation guidance, plans, and survey instruments. GAO also conducted semi-structured interviews with 12 organizations, representing six infrastructure sectors, to understand the level of framework use and related improvements and challenges. GAO also interviewed agency and private sector officials.

Report at:

Recent Posts
Contact Us

Please send us a short message and we'll get back to you soon. Thank you.