The Government Accountability Office is urging lead agencies to measure the effectiveness of cybersecurity programs they established to protect Internet of Things and operational technology use in critical infrastructure sectors.
In a report released Thursday, GAO reviewed cybersecurity initiatives launched by the Departments of Energy, Health and Human Services, Transportation and Homeland Security, which govern the electricity, transportation and health care industries.
IoT and OT devices are widely used to deliver services in critical infrastructure. To ensure data privacy and safety, agencies including the DOE, HHS, DOT and DHS launched IT protection programs based on guidelines from the Cybersecurity and Infrastructure Security Agency and the National Institute of Standards and Technology. They are required by the Internet of Things Cybersecurity Improvement Act of 2020, which bans the purchase and use of IoT products that are not compliant with NIST standards.
GAO found that the agencies did not have metrics to evaluate their initiatives’ effectiveness. The government watchdog also learned that the Office of Management and Budget does not have a standardized process for waiving the ban on non-compliant devices who meet certain criteria under the Act.
The reviewed agencies said they have noted GAO’s recommendations and will coordinate to formulate an action plan. OMB explained that it intended to release the waiver guidance in November.