« NIST SP 800-140 FIPS 140-3 Derived Test Requirements (DTR): CMVP Validation Authority Updates to ISO/IEC 24759 | Main | 脅威インテリジェンスサービスの利用とコンプライアンス by 高橋郁夫弁護士 »

2020.03.22

GAO CRITICAL INFRASTRUCTURE PROTECTION: Additional Actions Needed to Identify Framework Adoption and Resulting Improvements

こんにちは、丸山満彦です。

U.S. GAOが2020.02.25に重要インフラストラクチャの保護として「(サイバーセキュリティ)フレームワークの採用とその結果としての改善点を特定するために必要な追加措置」についての報告書を公表しています。監査して時点から報告書を公表するまでに時間があるので、その間に色々と改善もされていますが、米国のGAOの働きについては、改善を促す意味でも非常に良い働きをしていますよね。。。

GAO (Government Accountability Office)

・2020.02.25 GAO-20-299 CRITICAL INFRASTRUCTURE PROTECTION:Additional Actions Needed to Identify Framework Adoption and Resulting Improvements

・Report

[PDF] Highlights Page
[PDF] Full Report

=====

All 12 organizations in our review were voluntarily using the framework, and told us they’ve seen benefits. For example, one organization said that the framework allowed it to better identify and address cybersecurity risks.

However, the agencies with lead roles in protecting critical infrastructure are not collecting or reporting on improvements from using the framework as we recommended.

 

DeepLによる機械翻訳

私たちのレビューに参加した12の組織は、すべて自発的にこのフレームワークを使用しており、その効果を実感していると述べています。例えば、ある組織では、フレームワークのおかげでサイバーセキュリティのリスクをよりよく特定し、対処できるようになったと述べています。

しかし、重要インフラストラクチャの保護に主導的な役割を果たす機関は、私たちが推奨したようにフレームワークの使用による改善点を収集したり、報告したりしていません。

=====

Recommendations for Executive Action (Summary)

(01) The Director of NIST should establish time frames for completing NIST's initiatives, to include the information security measThe Administrator of the General Services Administration, in coordination with the Secretary of Homeland Security, should take steps to consult with respective sector partner(s), such as the Coordinating Council and NIST, as appropriate, to collect and report sector-wide improvements from use of the framework across its critical infrastructure sector using existing initiatives.
urement program and the cybersecurity framework starter profile, to enable the identification of sector-wide improvements from using the framework in the protection of critical infrastructure from cyber threats.

(02) The Secretary of Agriculture, in coordination with the Secretary of Health and Human Services, should take steps to consult with respective sector partner(s), such as the SCC, DHS, and NIST, as appropriate, to collect and report sector-wide improvements from use of the framework across its critical infrastructure sector using existing initiatives. 

(03) The Secretary of Defense should take steps to consult with respective sector partner(s), such as the SCC, DHS, and NIST, as appropriate, to collect and report sector-wide improvements from use of the framework across its critical infrastructure sector using existing initiatives.

(04) The Secretary of Energy should take steps to consult with respective sector partner(s), such as the SCC, DHS, and NIST, as appropriate, to collect and report sector-wide improvements from use of the framework across its critical infrastructure sector using existing initiatives.

(05) The Administrator of the Environmental Protection Agency should take steps to consult with respective sector partner(s), such as the SCC, DHS, and NIST, as appropriate, to collect and report sector-wide improvements from use of the framework across its critical infrastructure sector using existing initiatives.

(06) The Administrator of the General Services Administration, in coordination with the Secretary of Homeland Security, should take steps to consult with respective sector partner(s), such as the Coordinating Council and NIST, as appropriate, to collect and report sector-wide improvements from use of the framework across its critical infrastructure sector using existing initiatives.

(07) The Secretary of Health and Human Services, in coordination with the Secretary of Agriculture, should take steps to consult with respective sector partner(s), such as the SCC, DHS, and NIST, as appropriate, to collect and report sector-wide improvements from use of the framework across its critical infrastructure sector using existing initiatives. 

(08) The Secretary of Homeland Security should take steps to consult with respective sector partner(s), such as the SCC and NIST, as appropriate, to collect and report sector-wide improvements from use of the framework across its critical infrastructure sectors using existing initiatives.

(09) The Secretary of Transportation, in coordination with the Secretary of Homeland Security, should take steps to consult with respective sector partner(s) such as the SCC and NIST, as appropriate, to collect and report sector-wide improvements from use of the framework across its critical infrastructure sector using existing initiatives. 

(10) The Secretary of the Treasury should take steps to consult with respective sector partner(s), such as the SCC, DHS, and NIST, as appropriate, to collect and report sector-wide improvements from use of the framework across its critical infrastructure sector using existing initiatives. 

 

What GAO Found

Most of the nine agencies with a lead role in protecting the 16 critical infrastructure sectors, as established by federal policy and referred to as sector-specific agencies (SSAs), have not developed methods to determine the level and type of adoption of the National Institute of Standards and Technology's (NIST) Framework for Improving Critical Infrastructure Cybersecurity (framework), as GAO previously recommended. Specifically, two of the nine SSAs had developed methods and two others had begun taking steps to do so. The remaining five SSAs did not yet have methods to determine framework adoption. Most of the sectors (13 of 16), however, noted that they had taken steps to encourage and facilitate use of the framework, such as developing implementation guidance that links existing sector cybersecurity tools, standards, and approaches to the framework. In addition, all of the 12 selected organizations that GAO interviewed described either fully or partially using the framework. Nevertheless, implementing GAO's recommendations to the SSAs to determine the level and type of adoption remains essential to the success of protection efforts.

The 12 selected organizations using the framework reported varying levels of resulting improvements. Such improvements included identifying risks and implementing common standards and guidelines. However, the SSAs have not collected and reported sector-wide improvements. The SSAs and organizations identified impediments to doing so, including the (1) lack of precise measurements of improvement, (2) lack of a centralized information sharing mechanism, and (3) voluntary nature of the framework. NIST and the Department of Homeland Security (DHS) have initiatives to help address these impediments.

  • Precise measurements: NIST is in the process of developing an information security measurement program that aims to provide the tools and guidance to support the development of information security measures that are aligned with an individual organization's objectives. However, NIST has not established a time frame for the completion of the measurement program.
  • Centralized sharing: DHS identified its homeland security information network as a tool that was intended to be the primary system that could be used by all sectors to report on best practices, including sector-wide improvements and lessons learned from using the framework.
  • Voluntary nature: In April 2019, NIST issued its NIST Roadmap for Improving Critical Infrastructure Cybersecurity , version 1.1, which included a tool for organizations to self-assess how effectively they manage cybersecurity risks and identify improvement opportunities.

While these initiatives are encouraging, the SSAs have not yet reported on sector-wide improvements. Until they do so, the extent to which the 16 critical infrastructure sectors are better protecting their critical infrastructures from threats will be largely unknown.

|

« NIST SP 800-140 FIPS 140-3 Derived Test Requirements (DTR): CMVP Validation Authority Updates to ISO/IEC 24759 | Main | 脅威インテリジェンスサービスの利用とコンプライアンス by 高橋郁夫弁護士 »

Comments

Post a comment



(Not displayed with comment.)


Comments are moderated, and will not appear on this weblog until the author has approved them.



« NIST SP 800-140 FIPS 140-3 Derived Test Requirements (DTR): CMVP Validation Authority Updates to ISO/IEC 24759 | Main | 脅威インテリジェンスサービスの利用とコンプライアンス by 高橋郁夫弁護士 »