The Government Accountability Office reports that, although most U.S. critical infrastructure sectors have taken actions to adopt the NIST Cybersecurity Framework, none of the Sector-Specific Agencies responsible for developing guidance have developed adequate measures of adoption.
SSAs officials blame this on the voluntary nature of framework adoption. The GAO report says that until this is addressed, the SSAs will be unable to assess the success of protection efforts or to determine where to focus limited resources for cyber risk mitigation.
Officials from the Department of Homeland Security, NIST, SSAs, and the sector coordinating councils identified four challenges to cybersecurity framework adoption:
- Limited resources;
- Lacking knowledge and skills for framework adoption;
- Regulatory, industry and other requirements that inhibit adopting the framework; and
- Other priorities taking precedence over framework adoption.