Some critical infrastructure sectors included in GAO's review, such as the energy sector, are required to meet mandatory cybersecurity standards established by regulation under US federal law or face civil monetary penalties. By contrast, sectors not subject to federal regulation are only subject to voluntary cybersecurity guidance, the GAO report found.
“While private sector coordinating council representatives confirmed lists of cybersecurity guidance that they stated were used within their respective sectors, the representatives emphasized that the lists were not comprehensive”, the GAO said.
In addition, most of the sector-specific critical infrastructure protection plans do not provide guidance and standards for cybersecurity because of an omission by the Department of Homeland Security (DHS) in its guidance to the sectors, the agency noted.
“Individual entities within the sectors may be challenged in identifying the guidance that is most applicable and effective in improving their security posture. Improved knowledge of the guidance that is available could help both federal and private sector decision makers better coordinate their efforts to protect critical cyber-reliant assets”, the GAO report said.
GAO is recommending that DHS, in collaboration with public and private sector partners, determine whether it is appropriate to have cybersecurity guidance listed in sector plans.