Sector-specific agencies – those agencies tasked with helping areas of the US economy better shore up and coordinate cybersecurity efforts – need to develop better ways to measure the progress of their efforts and assess the security posture of 15 industrial sectors such as energy production and transmission, GAO has said.
It said SSA’s generally took actions to mitigate cyber risks and vulnerabilities for their respective sectors. For example they developed, implemented, or supported efforts to enhance cybersecurity and mitigate cyber risk with activities that aligned with a majority of actions called for by the National Infrastructure Protection Plan, GAO said. Some SSAs have also identified incentives to promote cybersecurity within sectors.
But while the Departments of Defense, Energy, and Health and Human Services have established performance metrics for their three sectors, the SSAs for the other 12 sectors had not developed metrics to measure and report on the effectiveness of all of their cyber risk mitigation activities or their sectors’ cybersecurity posture, according to GAO-16-79.
It said one reason why is that the SSAs rely on their private sector partners to voluntarily share information needed to measure efforts.
The NIPP directs SSAs and their sector partners to identify high-level outcomes to facilitate progress towards national goals and priorities, but until SSAs develop performance metrics and collect data to report on the progress of their efforts to enhance the sectors’ cybersecurity posture, they may be unable to adequately monitor the effectiveness of their cyber risk mitigation activities and document the resulting sector-wide cybersecurity progress, GAO said.
