Critical Infrastructure Protection: Sector-Specific Agencies Need to Better Measure Cybersecurity Progress, Report to the Committee on Homeland Security, House of Representatives [open pdf - 4MB]
From the Highlights: "U. S. critical infrastructures, such as financial institutions, commercial buildings, and energy production and transmission facilities, are systems and assets, whether physical or virtual, vital to the nation's security, economy, and public health and safety. To secure these systems and assets, federal policy and the NIPP [National Infrastructure Protection Plan] establish responsibilities for federal agencies designated as SSAs [sector-specific agencies], including leading, facilitating, or supporting the security and resilience programs and associated activities of their designated critical infrastructure sectors. GAO's [Government Accountability Office] objectives were to determine the extent to which SSAs have (1) identified the significance of cyber risks to their respective sectors' networks and industrial control systems, (2) taken actions to mitigate cyber risks within their respective sectors, (3) collaborated across sectors to improve cybersecurity, and (4) established performance metrics to monitor improvements in their respective sectors. To conduct the review, GAO analyzed policy, plans, and other documentation and interviewed public and private sector officials for 8 of 9 SSAs with responsibility for 15 of 16 sectors."
Government Accountability Office: http://www.gao.gov/