GAO: Feds can improve critical cybersecurity

Cybersecurity for Critical Infrastructure Protection

Related Links

Although the private sector owns most of the nation's critical infrastructures, the federal government has several options to improve cybersecurity of such assets, including developing an overall framework that defines responsibilities, identifies assets and establishes standards, according to a General Accounting Office report released this week.

Such a critical infrastructure protection (CIP) plan would help the federal government assess risks, provide threat and vulnerability information to the private sector, enhance information sharing and promote awareness. The government could also better allocate resources or provide tax incentives or other policies for greater adoption of such technologies.

The GAO report said the federal government could take actions to protect its own systems as an example for others to emulate as well as take long-term actions to increase the quality and availability of such technologies in the marketplace. The report provided several actions by federal agencies in this area, such as development of an overall CIP plan by December.

It's important for the government to consider the scope of the problem, costs, benefits and other issues, the report said, as well as the technology issues surrounding the problem and structure of the security marketplace.

"To help determine the problem approach for the federal action, the government will require information from the private sector on the scope and size of the cybersecurity problem and the actions that the private sector is already taking to address the problem," the report said. Later, it added that sometimes the best course of action for the federal government "may be to take no action at all" if private-sector responses are adequate.

The report also said ultimately protection of the critical infrastructure — some 85 percent -- falls to its private owners. There are many cybersecurity technologies available that help, but the report said many aren't being purchased or implemented to the fullest extent.

An overall framework can help assist the selection of such technologies, including determining business requirements for security, performing risk assessments, establishing a security policy, implementing a solution that involves people, processes and technologies, and continuously monitoring and managing security.

"Despite the availability of current cybersecurity technologies, there is a demonstrated need for new technologies," the report added. "Long-term efforts are needed, such as the development of standards, research into cybersecurity vulnerabilities and technological solutions, and the transition of research results into commercially available products."

Featured

  • Defense
    The Pentagon (Photo by Ivan Cholakov / Shutterstock)

    DOD CIO hits pause on JEDI cloud acquisition

    Dana Deasy set cloud as his office's top priority. But when it comes to the JEDI request for proposal, he's directed staff to "pause" to compile a comprehensive review.

  • Cybersecurity
    By Gorodenkoff shutterstock ID 761940757

    Waging cyber war without a rulebook

    As the U.S. looks to go on the offense in the cyber domain, critical questions remain unanswered around who will take the lead and how clearly to draw the rules of engagement.

  • Government Innovation Awards
    Government Innovation Awards - https://governmentinnovationawards.com

    Deadline extended for Rising Star nominations

    You now have until July 18 to help us identify the early-career innovators and change agents in government IT.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.