Critical Infrastructure Protection: Additional Actions Are Essential for Assessing Cybersecurity Framework Adoption, Report to Congressional Committees [open pdf - 8MB]
"Our nation's critical infrastructure includes the public and private systems and assets vital to national security, economic stability, and public health and safety. Federal policy identifies 16 critical infrastructure sectors, including the financial services, energy, transportation, and communications sectors. To better address cyberrelated risks to critical infrastructure, in 2014, NIST [National Institute of Standards and Technology] developed, as called for by federal law and policy, 'the Framework for Improving Critical Infrastructure Cybersecurity', a voluntary framework of cybersecurity standards and procedures for industry to adopt. The Cybersecurity Enhancement Act of 2014 included provisions for GAO to review aspects of the cybersecurity standards and procedures in the framework developed by NIST. GAO's [Government Accountability Office] objective was to assess what is known about the extent to which critical infrastructure sectors have adopted the framework. To do so, GAO analyzed documentation, such as sector-specific guidance and tools to facilitate implementation, and interviewed relevant federal and nonfederal officials from the 16 critical infrastructure sectors."
Government Accountability Office: http://www.gao.gov/