From the GAO [Government Accountability Office] Highlights: "Cyber threats to the nation's critical infrastructure (e.g., financial services and energy sectors) continue to increase and represent a significant national security challenge. To better address such threats, NIST [National Institute of Standards and Technology] developed, as called for by federal law, a voluntary framework of cybersecurity standards and procedures. The 'Cybersecurity Enhancement Act of 2014' included provisions for GAO to review aspects of the framework. The objectives of this review were to determine the extent to which (1) SSAs [sector-specific agencies] have developed methods to determine framework adoption and (2) implementation of the framework has led to improvements in the protection of critical infrastructure from cyber threats. GAO analyzed documentation, such as implementation guidance, plans, and survey instruments. GAO also conducted semi-structured interviews with 12 organizations, representing six infrastructure sectors, to understand the level of framework use and related improvements and challenges. GAO also interviewed agency and private sector officials."