Comparison of Cybersecurity Guidance for Critical Infrastructure Sectors

Download Sector Mapping Chart (.xlsx)

The National Institute of Standards and Technology (NIST) Cybersecurity Framework provides voluntary and comprehensive but flexible guidelines for how enterprises across all sectors of critical infrastructure should manage and reduce cybersecurity risk. The framework lists and explains specific steps companies should take to identify key assets and policies, protect data and resources, detect cybersecurity incidents, respond to a breach, and recover from an attack. NIST issued the original version of its framework in 2014 and an updated version in 2018.

Executive Order 13636 of 2013 recommended using the NIST framework for critical infrastructure. A concurrent presidential directive identified 16 sectors as U.S. critical infrastructure and designated a lead federal agency for each sector. Originally called sector-specific agencies, the leads for each sector are now known as sector risk management agencies (SRMAs). Executive Order 13800 of 2017 requires all federal agencies to use the NIST framework, although it remains voluntary for the private sector.

Each SRMA provides a publicly available cybersecurity framework implementation guidance document or an alternative reference as specified in the SRMA’s Sector-Specific Plan. These references demonstrate how the sector’s individual cybersecurity tools and resources align to the NIST Cybersecurity Framework. These documents are available on the website of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA).

To enhance the quality and implementation of cybersecurity best practices across the 16 sectors of critical infrastructure, FDD’s Center on Cyber and Technology Innovation (CCTI) has produced this Sector Mapping Chart. Previously, there was no single product that enabled researchers or decision makers to compare how the various SRMAs tailor NIST’s Cybersecurity Framework for application to their respective domains. The Sector Mapping Chart also cross-references SRMA guidance with policy recommendations from CCTI and its Transformative Cyber Innovation Lab.

By facilitating cross-sector comparisons, the Sector Mapping Chart reveals troubling shortcomings.

First, the chart shows that many of the SRMAs’ Sector-Specific Plans and guidance have not been updated since the latest version of the NIST framework was published in 2018. As a result, these plans and guidance often lack references to supply chain security, which the NIST framework only integrated as part of its 2018 revision. Plans and guidance that predate that revision may identify practices relevant to supply chain security but do not align them to the NIST framework.

A comparison across sectors also reveals that cybersecurity guidance for the transportation sector is the least well-defined. The transportation sector includes pipeline systems, for which the Transportation Security Administration is belatedly trying to apply cybersecurity requirements. Meanwhile, guidance for the water sector does not address how to establish a baseline for network operations. Without such a baseline, enterprises have no clear benchmark against which to measure potential anomalies that would indicate evidence of a breach. Without that baseline, operators may also find it far more difficult to understand the likely impact of potential breaches. And, at the time of this writing, CISA’s website provides no guidance for either the government facilities sector or the information technology sector, the latter of which was the target of the REvil ransomware attack earlier this month.

Across all sectors, guidance related to post-breach recovery is lacking. This is particularly problematic given that for many enterprises, a cyber breach is not a matter of if, but when.

Based on CCTI’s comparative analysis of SRMA plans and guidance, the top 10 unaddressed cybersecurity issues (identified by their NIST sub-category labels) are:

1. RC.CO-1: Public relations are managed
2. RC.CO-2: Reputation is repaired after an incident
3. ID.RM-3: The organization’s determination of risk tolerance is informed by its role in critical infrastructure and sector-specific risk analysis
4. RC.CO-3: Recovery activities are communicated to internal and external stakeholders as well as executive and management teams
5. RS.CO-5: Voluntary information sharing occurs with external stakeholders to achieve broader cybersecurity situational awareness
6. ID.BE-5: Resilience requirements to support the delivery of critical services are established for all operating states (e.g., under duress/attack, during recovery, normal operations)
7. ID.RM-2: Organizational risk tolerance is determined and clearly expressed
8. DE.DP-2: Detection activities comply with all applicable requirements
9. RS.AN-3: Forensics are performed
10. RC.IM-2: Recovery strategies are updated

The Sector Mapping Chart is available for download as an Excel file. The first sheet maps how each sector (through its individual cybersecurity tools and resources) aligns to the NIST Cybersecurity Framework. The second sheet contains the same information as the first but adds depth by providing, where possible, specific requirements from the sector plans or guidance. The subsequent sheets — one for each of the 16 critical sectors — provide the relevant SRMA’s original mapping of its Sector-Specific Plan and implementation guidance to the NIST framework.

On the first sheet, columns A through C identify and link to FDD products that contain recommendations related to specific NIST Cybersecurity Framework and controls. Columns D through G contain the NIST framework itself in detail. Columns H through AJ indicate where sector-specific plans and guidance from the relevant SRMA align with the NIST framework.