US Government Accountability Office GAO

Although many organizations cited funding and resources as a facilitating factor, 13 organizations—eight federal agencies and five nonfederal entities—also told us that critical infrastructure owners and operators often have limited funding and resources ; as such, they were not always able to effectively share cyber threat information with federal agencies. (…) Further, representatives from a nonfederal entity noted that critical infrastructure owners and operators in their sector often have a small number of employees (e.g., 10 to 15 employees) with few to no cybersecurity personnel—thereby limiting the amount of information that is shared with federal agencies.

Nine organizations—five federal agencies and four non-federal entities—identified a lack of actionable information as a challenge to effective sharing of cyber threat information. For example, officials at an ISAC noted that CISA’s Automated Indicator Sharing system lacked customized threat information tailored to specific sectors or subsectors. As a result, critical infrastructure owners and operators were not always aware of actions they needed to take to address sector-specific threats, according to officials from that ISAC.

Although most organizations cited relationships as a facilitating factor, eight organizations—six federal agencies and two non-federal entities—also noted that limited relationships between critical infrastructure owners and operators and federal agencies challenged cyber threat information sharing. For example, officials at USDA stated that, given the large and diverse scope of entities in the food and agriculture sector (…) critical infrastructure owners and operators may not have a direct relationship with the agency to share cyber threat information, thus challenging the sharing of such information.

Thirteen organizations, nine federal agencies and four non-federal entities, identified limited sharing of classified or sensitive information as a challenge to effective cyber threat information sharing. In particular, because of these restrictive classifications or designations, federal agencies do not always widely share cyber threat information with critical infrastructure owners and operators. For example, DOT officials stated that when certain federal agencies provide classified briefings on select cybersecurity threats, only certain critical infrastructure owners and operators that have staff with the necessary security clearances may participate.

Ten organizations, seven federal agencies and three nonfederal entities, identified a lack of timely sharing of cyber threat information as a challenge to effective sharing of this information. Specifically, these organizations stated that federal agencies do not always share such information with critical infrastructure owners and operators in a timely manner. For example, officials at a sector coordinating council pointed out that in March 2022 the FBI shared information about the October 2021 cyberattacks targeting election officials. These officials explained that it would have been more valuable to share this information near the time of the attack.

Nine of the 14 selected federal agencies identified limited voluntary sharing as a challenge to effective cyber threat information sharing. Specifically, critical infrastructure owners and operators are not always required to share information on cyber incidents and may have other reasons for not voluntarily sharing information on cyber incidents. For example, CISA officials stated that, although the agency operates a system that allows critical infrastructure owners and operators to provide cyber incident reports to the agency, it receives very few reports.

National strategies emphasizes the importance of developing outcome-oriented performance measures to assess the effectiveness of actions taken to help address long-standing challenges. Establishing such measures can help organizations demonstrate the degree to which desired results were achieved. Although the implementation plan tasks ONCD with assessing the effectiveness of the strategy, the plan does not identify any outcomeoriented performance measures to assess the effectiveness of the steps taken under the eight information sharing initiatives described in the plan. (…). Until ONCD identifies outcome-oriented performance measures to assess progress made in implementing the eight information sharing initiatives, ONCD will not have a clear definition of what it wants to accomplish.