US watchdog detects shift in CISA’s role from critical assets protection to improving resilience of critical functions

A report by the U.S. Government Accountability Office (GAO) identified that the Cybersecurity and Infrastructure Security Agency (CISA) has started shifting its focus from simply protecting a set of critical assets to improving the resilience of critical functions, such as supplying water. 

“But, it could do more to communicate this shift,” GAO said in a report this week. 

CISA has undertaken a wide range of efforts to identify and prioritize nationally significant critical infrastructure but could take steps to improve and further these efforts, GAO said. “Helping to ensure that CISA’s process for identifying and prioritizing critical infrastructure accounts for current threats and meets the needs of all states could allow CISA and its partners to have a more relevant and useful understanding of critical infrastructure risk,” it added.

GAO was asked to review critical infrastructure prioritization activities of the CISA, since the process for determining priorities reflects current threats, such as cyberattacks, and incorporating input from additional states would give the security agency greater assurance that it and its stakeholders are focused on the highest priorities. The report also examines the extent to which the National Critical Infrastructure Prioritization Program currently identifies and prioritizes nationally significant critical infrastructure, CISA’s development of the ‘National Critical Functions’ framework, and essential services and information that CISA provides to mitigate critical infrastructure risks. 

The National Critical Infrastructure Prioritization Program is intended to identify the critical infrastructure assets in most need of protection, GAO said in its report. “Nearly all federal and state officials we spoke with questioned the program’s relevance and usefulness. For example, they said it doesn’t consider the most prevalent infrastructure threats, such as cyberattacks,” it added. 

CISA published in 2019 a set of 55 critical functions of government and the private sector considered vital to the security, economy, and public health and safety of the nation. According to CISA officials, the National Critical Functions framework is intended to better assess how failures in key systems, assets, components, and technologies may cascade across the 16 critical infrastructure sectors. 

“CISA plans to integrate the National Critical Functions framework into broader prioritization and risk management efforts, and has already used it to inform key agency actions,” GAO said in its report. “Although CISA initiated the functions framework in 2019, most of the federal and nonfederal critical infrastructure stakeholders that GAO interviewed reported being generally uninvolved with, unaware of, or not understanding the goals of the framework,” 

Specifically, “stakeholders did not understand how the framework related to prioritizing infrastructure, how it affected planning and operations, or where their particular organizations fell within it,” GAO added.

In response to these issues, CISA officials stated that stakeholders with local operational responsibilities were the least likely to be familiar with the National Critical Functions, which were intended to improve the analysis and management of cross-sector and national risks. 

“Still, CISA officials acknowledged the need to improve connection between the National Critical Functions framework and local and operational risk management activities and communications,” GAO said in its report. “In addition, CISA lacks an available documented framework plan with goals and strategies that describe what it intends to achieve and how. Without such a documented plan, stakeholders’ questions regarding the framework will likely persist,” it added.

CISA offers physical and cybersecurity assessments to critical infrastructure partners, but the agency’s 2020 reorganization resulted in challenges in communicating and coordinating the delivery of some cybersecurity services.

GAO conducted the study to assess the risk environment for critical infrastructure ranging from extreme weather events to physical and cybersecurity attacks. “The majority of critical infrastructure is owned and operated by the private sector, making it vital that the federal government work with the private sector, along with state, local, tribal, and territorial partners. CISA is the lead federal agency responsible for overseeing domestic critical infrastructure protection efforts,” the report added.

The congressional watchdog recommended that CISA improve its process for identifying critical infrastructure priorities to better reflect current threats while seeking input from states that have not provided recent updates on identifying critical infrastructure. It also directed the agency to involve stakeholders in the development of the National Critical Functions framework, document goals and strategies for the National Critical Functions framework, improve efforts to coordinate cybersecurity services, and share regionally specific threat information.

The agency also provided six recommendations for executive actions. It suggested that the CISA director should ensure that the agency’s process for developing a prioritized list of critical infrastructure that would cause national or regional catastrophic effects if destroyed or disrupted reflects current threats. It also called upon the CISA director to ensure that its process for developing a prioritized list of critical infrastructure that would cause national or regional catastrophic effects if destroyed or disrupted includes input from additional states that have not provided recent nominations or updates. 

It also recommended that the CISA director should ensure that stakeholders are fully engaged in the implementation of the National Critical Functions framework, and document, as appropriate, goals and strategies for the National Critical Functions framework. 

GAO also proposed that the CISA director should implement processes to improve communication and coordination between critical infrastructure organizations and CISA headquarters and regional staff, in addition to coordinating with relevant regionally based, federal, and non-federal partners to regularly develop and distribute regionally specific threat information. 

Last December, CISA released a status update addressing the critical infrastructure sector and informing stakeholders of the progress made on the main activities of the National Critical Functions. It also provided details on the progress made to advance federal implementation of the NCF Framework. 

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.