Critical infrastructure companies drowning in cybersecurity guidance, says GAO

The Homeland Security Department isn't doing enough to distill, promote and disseminate cybersecurity guidance to entities within the critical-infrastructure sectors DHS is required to assist under Homeland Security Presidential Directive 7, according to the Government Accountability Office.

There is no shortage of cybersecurity guidance for entities operating in these sectors, according to a GAO report (.pdf) dated Dec. 9, 2011 but released publicly Jan. 9. In fact, the GAO says the opposite is the problem. Given the "plethora of guidance available, individual entities within the sectors may be challenged in identifying the guidance that is most applicable and effective," the report says.

Regulatory entities require information security compliance in some critical infrastructure sectors that are under the purview of federal law, regulation or mandatory standards. Many critical infrastructure companies also follow National Institute of Standards and Technology guidance or recommendations from their respective standards bodies, such as the International Organization for Standardization, International Electrotechnical Commission or the International Telecommunication Union, says the report.

Rather than create additional guidance, DHS and the other sector-specific agencies should identify the key, existing guidance applicable to or widely used in each sector, recommend report authors.

GAO does not specify how the implementation of cybersecurity guidance should occur, only saying it could be done "through a variety of mechanisms," such as regulatory enforcement or through business incentives. However, responsible federal entities should "take additional steps to promote the most applicable and effective guidance throughout the sectors."

For more:
- download GAO-12-92 (.pdf)

Related Articles:
E.U. body outlines broad security goals for industrial control systems
DHS releases cyber strategy framework