GAO Tells Agencies to Consult Public Sector on NIST Cybersecurity Framework Adoption
The GAO recommended various agencies, including the Department of Homeland Security and the National Institute of Standards and Technology, consult sector partners in adopting NIST’s cybersecurity framework (see 1801190057), in a report. DHS, NIST, sector-specific agencies and others initially identified four challenges to adopting the cybersecurity framework. The agencies and groups explained that: ability may be limited in committing necessary resources for adoption; necessary knowledge and skills may be lacking; various regulatory, industry and other requirements may inhibit adoption; and other priorities may take precedence over conducting cyber-related risk management or adopting the framework. GAO recommended DOD, the departments of Energy, Health and Human Services, Transportation and Treasury, the EPA, the General Services Administration and DHS “take steps to consult with respective sector partners … to develop methods for determining the level and type of framework adoption by entities across their respective sector.” Five agencies agreed with the framework, and four others “neither agreed nor disagreed,” GAO said. NIST scheduled a 2018 Framework Workshop for Sept. 11-13. The agency is reviewing comments for Draft 2 of Framework Version 1.1.