Critical Infrastructure Protection: Measures Needed to Assess Agencies' Promotion of the Cybersecurity Framework, Report to Congressional Committees [open pdf - 6MB]
From the Highlights: "U.S. critical infrastructures, such as financial institutions and communications networks, are systems and assets vital to national security, economic stability, and public health and safety. Systems supporting critical infrastructures face an evolving array of cyber-based threats. To better address cyber-related risks to critical infrastructure, federal law and policy called for NIST [National Institute of Standards and Technology] to develop a set of voluntary cybersecurity standards and procedures that can be adopted by industry to better protect critical cyber infrastructure. The Cybersecurity Enhancement Act of 2014 included provisions for GAO [Government Accountability Office] to review aspects of the cybersecurity standards and procedures developed by NIST. This report determines the extent to which (1) NIST facilitated the development of voluntary cybersecurity standards and procedures and (2) federal agencies promoted these standards and procedures. GAO examined NIST's efforts to develop standards, surveyed a non-generalizable sample of critical infrastructure stakeholders, reviewed agency documentation, and interviewed relevant officials."
U.S. Government Accountability Office: http://www.gao.gov/