The Checklist Problem Behind Critical Infrastructure Cyber Safety
Help Net Security, Wednesday, June 17th, 2026
George Mason research reveals that compliance with federal cyber standards doesn't guarantee critical infrastructure can withstand attacks.
A George Mason University study analyzing U.S. cyber policy finds that compliance documentation has become a substitute for actual safety engineering in critical infrastructure. While 69% of defense contractors claim NIST SP 800-171 compliance, only 30% pass verified assessments.
The research documents cases where security controls created physical hazards-such as account lockout policies preventing emergency access or encryption adding latency to safety systems.
The study proposes redefining reasonable care around engineering evidence, requiring hazard-specific traceability and non-digital fallbacks rather than relying on checklist compliance alone.